[130961] in North American Network Operators' Group
Re: Only 5x IPv4 /8 remaining at IANA
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Oct 18 15:14:22 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CMM.0.91.0.1287426380.bygg@nic.cafax.se>
Date: Mon, 18 Oct 2010 12:05:16 -0700
To: Johnny Eriksson <bygg@cafax.se>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 18, 2010, at 12:26 PM, Johnny Eriksson wrote:
> "Tony Hain" <alh-ietf@tndh.net> wrote:
>=20
>> Actually nat does something for security, it decimates it. Any 'real'
>> security system (physical, technology, ...) includes some form of =
audit
>> trail. NAT explicitly breaks any form of audit trail, unless you are =
the one
>> operating the header mangling device. Given that there is no limit to =
the
>> number of nat devices along a path, there can be no limit to the =
number of
>> people operating them. This means there is no audit trail, and =
therefore NO
>> SECURITY.=20
>=20
> So an audit trail implies security? I don't agree. It may make =
post-mortem
> analysis easier, thou.
>=20
An audit trail improves security because post-mortem analysis of =
breaches
is an important tool in improving security.
> Does end-to-end crypto break security? Which security? The security =
of
> the endpoints or the security of someone else who cannot now audit the
> communication in question fully?
>=20
No, end-to-end crypto does not, by itself, break security. Arguably, =
end-to-end
crypto MAY bypass security in some environments, but, those environments
do have controls available to disable end-to-end crypto.
Owen
