[64718] in North American Network Operators' Group
Re: IPv6 NAT
daemon@ATHENA.MIT.EDU (Joe Abley)
Fri Oct 31 11:59:37 2003
In-Reply-To: <2147483647.1067600620@[172.30.102.254]>
Cc: nanog@merit.edu
From: Joe Abley <jabley@isc.org>
Date: Fri, 31 Oct 2003 11:58:28 -0500
To: "Patrick W. Gilmore" <patrick@ianai.net>
Errors-To: owner-nanog-outgoing@merit.edu
On 31 Oct 2003, at 11:43, Patrick W. Gilmore wrote:
>> There is NO security benefit to NAT/PAT/NAPT.
>
> Disagree.
>
> None of the scanning / infecting viruses could get past a $50 NAT/PAT
> device which Joe User brings home and turns on without configuring.
It's not the NAT that those boxes are doing which protected Joe User
(no relation). It's the firewall function of those boxes -- the
function which stops certain traffic being permitted through the front
door -- which stopped the viruses outside the front door infecting the
windows box in the dining room.
The $50 NAT device performs the firewall function as well as the NAT
function.
A $50 device which just provided the firewall function would protect
Joe User just as well from viruses.
The NAT function is required because Joe User requires multiple
addresses, but his ISP will only give him one. That's orthogonal to the
firewall function.
Let's move on.
Joe
