[97264] in North American Network Operators' Group
Re: Security gain from NAT
daemon@ATHENA.MIT.EDU (James R. Cutler)
Tue Jun 5 08:45:23 2007
Date: Tue, 05 Jun 2007 08:43:17 -0400
To: NANOG <nanog@merit.edu>
From: "James R. Cutler" <james.cutler@consultant.com>
In-Reply-To: <46654164.60508@ahnberg.pp.se>
Errors-To: owner-nanog@merit.edu
--=====================_832296398==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed
Maybe one should consider the customer viewpoint and not just
semantic twiddle. When I install one of those little and inexpensive
boxes it is for several reasons, not just security. However, the "I
hear you knocking, but you can't come in." is invaluable to keep out
probes of popular Microsoft points (ports) of vulnerability. In a
very practical sense this is added security for the end system. Yes,
it is from the Stateful Inspection and not, per se, from address or
port translation. That really does not matter because it comes as a
package in those cute little boxes.
Regarding efficacy of NAT: Have you considered what the typical ISP
policy on address assignment and routing will be? Will Comcast
announce routes to all my end system addresses to the world? Will
Comcast even allow for more than one address per connection?
Substitute your vendor of choice here. Be it BT or whatever, until
you assure me that my ISP will not interfere with my local SOHO or
home network or increase my rate per system added, I will encourage
multiplexing of addresses, regardless of IPv4, IPv6, landline
telephone number, PO Box, or whatever.
Listen to Ahnberg and Dillon. What they say makes much sense and
avoids the semantic quibbling that has consumed too much of NANOG
mailing list bandwidth. We already know that "All dragons are
scotsmen, but not all scotsmen are dragons."
-
James R. Cutler
james.cutler@consultant.com
--=====================_832296398==.ALT
Content-Type: text/html; charset="us-ascii"
<html>
<body>
<font size=3>Maybe one should consider the customer viewpoint and not
just semantic twiddle. When I install one of those little and inexpensive
boxes it is for several reasons, not just security. However, the "I
hear you knocking, but you can't come in." is invaluable to keep out
probes of popular Microsoft points (ports) of vulnerability. In a very
practical sense this is added security for the end system. Yes, it
is from the Stateful Inspection and not, per se, from address or port
translation. That really does not matter because it comes as a
package in those cute little boxes.<br><br>
Regarding efficacy of NAT: Have you considered what the typical ISP
policy on address assignment and routing will be? Will Comcast announce
routes to all my end system addresses to the world? Will Comcast even
allow for more than one address per connection? Substitute your vendor of
choice here. Be it BT or whatever, until you assure me that my ISP
will not interfere with my local SOHO or home network or increase my rate
per system added, I will encourage multiplexing of addresses, regardless
of IPv4, IPv6, landline telephone number, PO Box, or whatever. <br><br>
Listen to Ahnberg and Dillon. What they say makes much sense and avoids
the semantic quibbling that has consumed too much of NANOG mailing list
bandwidth. We already know that "All dragons are scotsmen, but
not all scotsmen are dragons."<br>
</font><x-sigsep><p></x-sigsep>
<font face="Courier, Courier" size=3>-<br>
James R. Cutler<br>
james.cutler@consultant.com<br>
</font></body>
</html>
--=====================_832296398==.ALT--
