[64746] in North American Network Operators' Group
RE: IPv6 NAT
daemon@ATHENA.MIT.EDU (Tony Hain)
Fri Oct 31 20:24:20 2003
From: "Tony Hain" <alh-ietf@tndh.net>
To: "Scott McGrath" <mcgrath@fas.harvard.edu>,
"Stephen Sprunk" <stephen@sprunk.org>
Cc: <Michael.Dillon@radianz.com>,
"North American Noise and Off-topic Gripes" <nanog@merit.edu>
Date: Fri, 31 Oct 2003 17:23:36 -0800
In-Reply-To: <Pine.OSF.4.58.0310311335350.7704@is07.fas.harvard.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Scott McGrath wrote:
> Agreed NAT's do not create security although many customers believe they
> do. NAT's _are_ extremely useful in hiding network topologies from casual
> inspection.
This is another bogus argument, and clearly you have not done the math on
how long it takes to scan a /64 worth of subnet space. Start by assuming a
/16 per second (which is well beyond what I have found as current
technology) and see how long 2^48 seconds is.
>
> What I usually recommend to those who need NAT is a stateful firewall in
> front of the NAT. The rationale being the NAT hides the topology and the
> stateful firewall provides the security boundary.
Obscuring the topology provides absolutely no security either. You are not
alone, as it is frequently a recommended practice, but obscurity != security
no matter how much it is sold as such.
Tony
