[136568] in North American Network Operators' Group
Re: Failure modes: NAT vs SPI
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Thu Feb 3 14:48:39 2011
From: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: <13040078.4555.1296760192315.JavaMail.root@benjamin.baylink.com>
Date: Thu, 3 Feb 2011 20:47:48 +0100
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 3 feb 2011, at 20:09, Jay Ashworth wrote:
> That's the expansion of "fails safe".
You conviently overlook my earlier message about this.
But sure, let's assume that at some point, some packets from the outside =
manage to pass through to the inside in the IPv6 case. So how does =
anyone know where to send these packets in the first place? And if they =
do, what bad effects exactly do packets coming from the outside have? =
Ping of death has been fixed a loooong time ago.
And you assume that NATs block packets very well. They don't. First of =
all, there's uPNP IGD and NAT-PMP. Depending on the type of NAT, the =
bindings are quite loose and allow lots of additional packets that don't =
belong to the NATed sessions in. After all, NATs only break incoming =
sessions by accident. Firewalls do this on purpose, so they do a much =
better job.
If you really want to be safe, you should completely disconnect your =
network. Or at the very least not run any code, such as javascript and =
java, that comes in over the network. This is one of the biggest sources =
of real-world infections. Incoming packets haven't been since about the =
slammer worm era.=
