[135047] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Brian Keefer)
Sat Jan 15 16:17:41 2011
From: Brian Keefer <chort@smtps.net>
In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0BC132F6@RWC-EX1.corp.seven.com>
Date: Sat, 15 Jan 2011 13:16:14 -0800
To: George Bonser <gbonser@seven.com>, NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 12, 2011, at 9:21 AM, George Bonser wrote:
>>=20
>> I'd eat a hat if a vendor didn't implement a PAT equivalent. It's
>> demanded too much. There is money for it, so it will be there.
>>=20
>>=20
>> Jack
>=20
> Yeah, I think you are right. But in really thinking about it, I =
wonder
> why. The whole point of PAT was address conservation. You don't need
> that with v6. All you need to do with v6 is basically have what =
amounts
> to a firewall in transparent mode in the line and doesn't let a packet
> in (except where explicitly configure to) unless it is associated with =
a
> packet that went out.
>=20
> PAT makes little sense to me for v6, but I suspect you are correct. =
In
> addition, we are putting the "fire suit" on each host in addition to =
the
> firewall. Kernel firewall rules on each host for the *nix boxen. =20
Actually there are a couple very compelling reasons why PAT will =
probably be implemented for IPv6:
1.) Allows you to redirect a privileged port (on UNIX) to a =
non-privileged port. For daemons that don't implement some form of =
privilege revoking after binding to a low port (and/or aren't allowed to =
run as root), this is very useful. It's much easier to have a firewall =
redirect than to implement robust privilege revoking. Example: PAT =
25/tcp -> 2525/tcp.
2.) Allows you to redirect multiple ports to a single one, to support =
legacy implementations. Suppose your application used to require =
separate ports for different types of requests, but now is able to =
multiplex them. The new daemon only listens on one port, but other =
applications may not have updated their configuration. Example: PAT =
4443/tcp -> 443/tcp & PAT 8443/tcp -> 443/tcp.
Basically the idea is that implementing PAT for IPv6 allows smoother =
transition for apps that made use of it in IPv4, thus accelerating the =
adoption of IPv6.
--
bk
