[189997] in North American Network Operators' Group
Re: Netflix banning HE tunnels
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Jun 12 19:47:25 2016
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <op.yitmh702tfhldh@rbeam.xactional.com>
Date: Sun, 12 Jun 2016 16:47:18 -0700
To: Ricky Beam <jfbeam@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Jun 9, 2016, at 19:57 , Ricky Beam <jfbeam@gmail.com> wrote:
>=20
> On Thu, 09 Jun 2016 21:41:05 -0400, Baldur Norddahl =
<baldur.norddahl@gmail.com> wrote:
>=20
>> Then he reads on NANOG that since he has IPv6
>> he can just connect to the camera with that.
> ...
>=20
> Only to find the built-in stateful firewall blocks unsolicited inbound =
connections. Now he has to figure out how to manipulate ACLs. Or (more =
likely) he turns that "pesky firewall" off. (followed by the eventual =
hacking of every device he owns.)
>=20
> NAT may not be security, yet it's the only thing securing billions of =
people.
Nope=E2=80=A6 NAT Can=E2=80=99t be done without stateful inspection. You =
can stop mangling the packet headers and leave the stateful inspection =
in place and still have the same exact protection.
I realize most people have a hard time separating NAT from stateful =
inspection because most people got them both in the same package at the =
same time. Further, most boxes implement NAT and stateful inspection in =
the same chunk of code making it look even more like a single =
transaction.
However, conceptually they are two different things. Stateful inspection =
is what actually protects you.
NAT is simply the part where you mutilate the packet header in unnatural =
ways.
Owen
