[82163] in North American Network Operators' Group
Re: mh (RE: OMB: IPv6 by June 2008)
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Jul 8 16:04:18 2005
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "Tony Hain" <alh-ietf@tndh.net>
Cc: "'Andre Oppermann'" <nanog-list@nrg4u.com>,
"'Fergie (Paul Ferguson)'" <fergdawg@netzero.net>, dcrocker@bbiw.net,
nanog@merit.edu
In-Reply-To: Your message of "Fri, 08 Jul 2005 04:52:59 +0900."
<20050707195433.3B5EC1862@testbed9.merit.edu>
Date: Thu, 07 Jul 2005 16:10:28 -0400
Errors-To: owner-nanog@merit.edu
In message <20050707195433.3B5EC1862@testbed9.merit.edu>, "Tony Hain" writes:
>
>Mangling the header did not prevent the worms, lack of state did that. A
>stateful filter that doesn't need to mangle the packet header is frequently
>called a firewall (yes some firewalls still do, but that is by choice).
>
Absolutely correct. Real firewalls pass inbound traffic because a
state table entry exists. NATs do the same thing, with nasty
side-effects. There is no added security from the header-mangling.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
