[146442] in North American Network Operators' Group
RE: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Chuck Church)
Sun Nov 13 17:43:54 2011
From: "Chuck Church" <chuckchurch@gmail.com>
To: "'Doug Barton'" <dougb@dougbarton.us>
In-Reply-To: <4EC03B30.2090007@dougbarton.us>
Date: Sun, 13 Nov 2011 17:43:46 -0500
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
When you all say NAT, are you implying PAT as well? 1 to 1 NAT really
provides no security. But with PAT, different story. Are there poor
implementations of PAT that don't enforce an exact port/address match for
the translation table? If the translation table isn't at fault, are the
'helpers' that allow ftp to work passively to blame?
Chuck
-----Original Message-----
From: Doug Barton [mailto:dougb@dougbarton.us]
Sent: Sunday, November 13, 2011 4:49 PM
To: Phil Regnauld
Cc: nanog@nanog.org
Subject: Re: Arguing against using public IP space
On 11/13/2011 13:27, Phil Regnauld wrote:
> That's not exactly correct. NAT doesn't imply firewalling/filtering.
> To illustrate this to customers, I've mounted attacks/scans on
> hosts behind NAT devices, from the interconnect network immediately
> outside: if you can point a route with the ext ip of the NAT device
> as the next hop, it usually just forwards the packets...
Have you written this up anywhere? It would be absolutely awesome to be able
to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual demonstration
of why it isn't.
Doug
--
"We could put the whole Internet into a book."
"Too practical."
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
