[97284] in North American Network Operators' Group
Re: Security gain from NAT
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Jun 5 21:45:41 2007
To: Roger Marquis <marquis@roble.com>
Cc: Donald Stahl <don@calis.blacksun.org>, nanog@merit.edu
In-Reply-To: Your message of "Tue, 05 Jun 2007 17:44:40 PDT."
<20070605172447.M37178@eboyr.pbz>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 05 Jun 2007 21:44:41 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1181094281_23624P
Content-Type: text/plain; charset=us-ascii
On Tue, 05 Jun 2007 17:44:40 PDT, Roger Marquis said:
>
> >> Sure, very easily, by using NAT between the subnets.
> >
> > Have at it. Nothing like trying to reach 10.10.10.10 nad having
> > to put in a dns entry pointing to 172.29.10.10
>
> End-users prefer hostnames to IPs. DNS hostnames are valid on both
> sides due to either local zone files or a DNS protocol-NAT. It's a
> no-brainer to implement and a lot easier than using public address
> space given the relatively complex firewalling and filtering that
> requires.
So now the cruft extends and embraces, and you have to play DNS view games
based on whether it's on company A's legacy net, company B's legacy net,
or the DMZ in between them, and start poking around in the middle of DNS
packets to tweak the replies (which sort of guarantees you can't deploy DNSSEC).
And if the company aquires *another* one with rfc1918 on their legacy net,
then you get to play "as seen from A, B, or C, or this DMZ, or that DMZ"..
I think somebody on this list mentioned that due to corporate acquisitions,
there were legitimate paths between machines that traversed 5 or 6 NATs.
But yeah, "Sure, very easily". Whatever you say...
--==_Exmh_1181094281_23624P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFGZhGJcC3lWbTT17ARAr3MAKCnRS1jR9NqJiy0zwiH163xuLxUAwCfRI6z
nJdH2jcvfYWeLBtMZPO2JDk=
=j0gr
-----END PGP SIGNATURE-----
--==_Exmh_1181094281_23624P--
