[146447] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Sun Nov 13 18:36:41 2011
Date: Sun, 13 Nov 2011 18:36:31 -0500 (EST)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <4EC03B30.2090007@dougbarton.us>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
---- Original Message -----
> From: "Doug Barton" <dougb@dougbarton.us>
> On 11/13/2011 13:27, Phil Regnauld wrote:
> > That's not exactly correct. NAT doesn't imply
> > firewalling/filtering.
> > To illustrate this to customers, I've mounted attacks/scans on
> > hosts behind NAT devices, from the interconnect network immediately
> > outside: if you can point a route with the ext ip of the NAT device
> > as the next hop, it usually just forwards the packets...
>
> Have you written this up anywhere? It would be absolutely awesome to
> be able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual
> demonstration of why it isn't.
Accepting strict source routing from a public interface is certainly in the
top 10 Worst Common Practices, is it not? (IE: I would be surprised if *any*
current router actually let you do that.)
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
