[146440] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Doug Barton)
Sun Nov 13 16:49:49 2011
Date: Sun, 13 Nov 2011 13:48:32 -0800
From: Doug Barton <dougb@dougbarton.us>
To: Phil Regnauld <regnauld@nsrc.org>
In-Reply-To: <20111113212756.GD73635@macbook.bluepipe.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 11/13/2011 13:27, Phil Regnauld wrote:
> That's not exactly correct. NAT doesn't imply firewalling/filtering.
> To illustrate this to customers, I've mounted attacks/scans on
> hosts behind NAT devices, from the interconnect network immediately
> outside: if you can point a route with the ext ip of the NAT device
> as the next hop, it usually just forwards the packets...
Have you written this up anywhere? It would be absolutely awesome to be
able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual
demonstration of why it isn't.
Doug
--
"We could put the whole Internet into a book."
"Too practical."
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
