[41466] in North American Network Operators' Group
Re: Where NAT disenfranchises the end-user ...
daemon@ATHENA.MIT.EDU (Scott Gifford)
Mon Sep 10 15:01:40 2001
X-Delivered-To: nanog@merit.edu
To: Roeland Meyer <rmeyer@mhsc.com>
Cc: "'Jared Mauch'" <jared@puck.Nether.net>, Bob K <melange@yip.org>,
"NANOG (E-mail)" <nanog@merit.edu>
From: Scott Gifford <sgifford@tir.com>
Date: 10 Sep 2001 15:00:45 -0400
In-Reply-To: Roeland Meyer's message of "Mon, 10 Sep 2001 11:33:40 -0700"
Message-ID: <ly66aqvpk2.fsf@gfn.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
Roeland Meyer <rmeyer@mhsc.com> writes:
[...]
> Firewalls aren't accidents. NAT address propogation failures are,
> they are not consistent, and can't be relied upon to continue. Who
> knows, some genius, somewhere, may fix it tomorrow. Lord knows,
> there is sufficient incentive to do so. If that happens, your
> security is toast, if all you are relying on is NAT, rather than
> putting up a real firewall.
The rest of what you're saying makes sense, but I just don't buy
this...
A clever design might allow NAT to work with all protocols and in both
directions, which would have increased connectivity but decreased
security. But how would it get onto my network without me putting it
there, and presumably configuring it securely? The box doing NAT is
under my control...
----ScottG.
