[134779] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Jeff Kell)
Mon Jan 10 19:23:28 2011
Date: Mon, 10 Jan 2011 19:22:46 -0500
From: Jeff Kell <jeff-kell@utc.edu>
To: Owen DeLong <owen@delong.com>, NANOG <nanog@nanog.org>
In-Reply-To: <CDE9F6DD-E61C-4C13-84FE-5DAC4CA04A35@delong.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/10/2011 6:55 PM, Owen DeLong wrote:
> Nonetheless, NAT remains an opaque screen door at best.
>
> If the bad guy is behind the door, it helps hide him.
>
> If the bad guy is outside the door, the time it takes for his knife to cut through it is so small as to be meaningless.
For a "server" expected to be open to anyone, anywhere, anytime... yes.
Otherwise no.
NAT overload (many to 1), and 1-to-1 NAT with some timeout value both
serve to disconnect the potential targets from the network, absent any
static NAT or port mapping (for "servers").
RFC-1918 behind NAT insures this (notwithstanding pivot attacks).
It is a decreasing risk, given the typical user initiated compromise of
today (click here to infect your computer), but a non-zero one.
The whole IPv6 / no-NAT philosophy of "always connected and always
directly addressable" eliminates this layer.
Jeff
