[97236] in North American Network Operators' Group
Re: Security gain from NAT
daemon@ATHENA.MIT.EDU (Matthew Kaufman)
Mon Jun 4 19:59:36 2007
Date: Mon, 04 Jun 2007 16:31:22 -0700
From: Matthew Kaufman <matthew@eeph.com>
Reply-To: matthew@eeph.com
To: Leigh Porter <leigh.porter@ukbroadband.com>
Cc: Jim Shankland <nanog@shankland.org>,
Owen DeLong <owen@delong.com>, NANOG list <nanog@nanog.org>
In-Reply-To: <46646237.4050702@ukbroadband.com>
Errors-To: owner-nanog@merit.edu
Leigh Porter wrote:
> Additionally, NATing services on separate machines behind a single NATed
> address anonymises the services behind a single address.
Agreed. It can be very useful to not expose the internal topology
through address assignment so as to not expose which
subnets/desktops/users are accessing certain foreign addresses.
This is an even bigger issue in v6 if your stack exposes the MAC address
in its choice of stateless autoconfiguration address, as this then gives
away not just your internal topology but the vendor of the machines (or
at least the ethernet card maker). One can easily imagine attacks based
on knowing that a vulnerable and hard-to-upgrade embedded system (an
Internet-fax machine, say) was on a particular subnet.
Matthew Kaufman
matthew@eeph.com
