[146443] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Phil Regnauld)
Sun Nov 13 17:47:36 2011
Date: Sun, 13 Nov 2011 23:46:31 +0100
From: Phil Regnauld <regnauld@nsrc.org>
To: Doug Barton <dougb@dougbarton.us>
In-Reply-To: <4EC03B30.2090007@dougbarton.us>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Doug Barton (dougb) writes:
> On 11/13/2011 13:27, Phil Regnauld wrote:
> > That's not exactly correct. NAT doesn't imply firewalling/filtering.
> > To illustrate this to customers, I've mounted attacks/scans on
> > hosts behind NAT devices, from the interconnect network immediately
> > outside: if you can point a route with the ext ip of the NAT device
> > as the next hop, it usually just forwards the packets...
>
> Have you written this up anywhere? It would be absolutely awesome to be
> able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual
> demonstration of why it isn't.
Nope, but I could do a quick tut on how to do this against a natd/pf/
iptables or IOS with IP overload.
Arguably in *most* cases your CPE or whatever is NATing is behind
some upstream device doing ingress filtering, so you still need to
be compromising a device fairly close to the target network.
P.
