[64716] in North American Network Operators' Group
Re: IPv6 NAT
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Fri Oct 31 11:44:53 2003
Date: Fri, 31 Oct 2003 11:43:40 -0500
From: "Patrick W. Gilmore" <patrick@ianai.net>
To: nanog@merit.edu
In-Reply-To: <2147483647.1067587398@imac-en0.delong.sj.ca.us>
Errors-To: owner-nanog-outgoing@merit.edu
-- On Friday, October 31, 2003 08:03 -0800
-- Owen DeLong <owen@delong.com> supposedly wrote:
> There is NO security benefit to NAT/PAT/NAPT.
Disagree.
None of the scanning / infecting viruses could get past a $50 NAT/PAT
device which Joe User brings home and turns on without configuring.
Do not talk about "if they statically NAT...". Punching holes in stateful
firewalls will cause just as much damage.
> There is a security benefit
> to stateful inspection.
Agreed. And I doubt anyone on this list would say differently.
> NAT is harmful to many protocols. Stateful
> inspection is not.
Possibly. But Joe User will never use those "many protocols". Plus the
overwhelming majority of protocols are not harmed by NAT.
I would bet a statistically insignificant number of packets on the Internet
(many places to the right of the decimal) are part of those protocols.
This does not mean we should NAT everything, since I use some of those
protocols. But if every Joe User had a DLink NAT box in front of his
Winbloze box, the Internet would be a safer place. And you know it.
--
TTFN,
patrick
