[190060] in North American Network Operators' Group
Re: Netflix banning HE tunnels
daemon@ATHENA.MIT.EDU (Ricky Beam)
Tue Jun 14 14:57:45 2016
X-Original-To: nanog@nanog.org
To: "Owen DeLong" <owen@delong.com>
Date: Tue, 14 Jun 2016 14:57:40 -0400
From: "Ricky Beam" <jfbeam@gmail.com>
In-Reply-To: <3D30DC0D-0279-46C0-97FF-8237FB613B88@delong.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sun, 12 Jun 2016 19:47:18 -0400, Owen DeLong <owen@delong.com> wrote:
>> NAT may not be security, yet it's the only thing securing billions of
>> people.
>
> Nope… NAT Can’t be done without stateful inspection.
Negative.
- 1:1 NAT (inside address A == outside address B) requires no state of any
kind.
- Connection Tracking is not stateful inspection
- NAT Helpers / ALG / etc. (things that look for embedded addresses)
aren't "stateful inspection"
The only "security" one gets from NAT comes from the lack of outside
visibility through the NAT. An outside host cannot initiate a connection
to any specific inside host of their choosing.
I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6
traffic. IPv4 goes through NAT, so one gets the pseudo-security of not
being directly touchable from the internet.
