[64700] in North American Network Operators' Group
RE: IPv6 NAT
daemon@ATHENA.MIT.EDU (Tony Hain)
Thu Oct 30 22:57:30 2003
From: "Tony Hain" <alh-ietf@tndh.net>
To: "Kuhtz, Christian" <christian.kuhtz@BellSouth.com>,
"Stephen Sprunk" <stephen@sprunk.org>, <Michael.Dillon@radianz.com>
Cc: "North American Noise and Off-topic Gripes" <nanog@merit.edu>
Date: Thu, 30 Oct 2003 19:56:53 -0800
In-Reply-To: <DDA33D0260634241B611579903A1741608A9BC85@01al10015010045.ad.bls.com>
Errors-To: owner-nanog-outgoing@merit.edu
Kuhtz, Christian wrote:
> ...
> All hairsplitting aside, given that the term NAT these days is mostly used
> in a PAT (particularly in a customer connecting to the I) context, what
> isn't secure about?
mangling the header doesn't provide any security, and if you believe it
does, do the following exercise:
Configure a static NAT entry to map all packets from the public side to a
single host on the private side. Show how that mapping provides any more
security than what would exist by putting the public address on that host.
A stateful filter that is automatically populated by traffic originated from
the private side is what is providing 'security'. That function existed in
routers long before NAT was specified by the IETF (see RFC1044 for vendor).
Tony
