[97247] in North American Network Operators' Group
Re: Security gain from NAT
daemon@ATHENA.MIT.EDU (Daniel Senie)
Mon Jun 4 22:07:28 2007
Date: Mon, 04 Jun 2007 22:06:25 -0400
To: Jason Lewis <jlewis@packetnexus.com>,
NANOG list <nanog@nanog.org>
From: Daniel Senie <dts@senie.com>
Cc: colm@stdlib.net
In-Reply-To: <4664B75A.7080506@packetnexus.com>
Errors-To: owner-nanog@merit.edu
At 09:07 PM 6/4/2007, Jason Lewis wrote:
>I figured SMB would chime in...but his research says it's not so anonymous.
>
>http://illuminati.coralcdn.org/docs/bellovin.fnat.pdf
Give or take NAT boxes / firewalls that specifically have features to
mess with the IP ID. The SonicWALL products have, for example, a
checkbox that says: "Randomize IP ID".
Some vendors apparently have taken measures to ensure methods such as
monitoring IP ID are less effective. The paper notes this, and the
issues with doing this.
So the "not so anonymous" statement above is really "not so
anonymous, give or take the implementation of the firewall/NAT".
