Another driver for v6?

Jack Bates jbates at brightok.net
Wed Oct 29 09:21:45 CDT 2008


Brandon Butterworth wrote:
>> as I am very tired of all the problems caused by multiple
>> layers of NATs and PAT.
> 
> Likewise but more because people keep designing stuff to try and force
> others to get rid of them, ignoring why they have them.

A false sense of security? The belief that hiding behind a single IP might 
disguise how many hosts you have, which in turn might provide some form of 
hidden security?

Inside the network, host to host security is what should be. This can assist in 
some protection against bots that do make it to the network, or internal 
maliciousness. Security from within has always been overlooked by many, and yet 
it is the employees who provide the largest security risk.

Stateful firewalls will not be going away entirely, but they can track state and 
perform proxy services without performing address translation. It just scares 
people because of their false belief that translating an address shows that 
security is working. If stateful monitoring/proxying/limiting is not in working, 
the address translation doesn't really matter.

NAT has had it's uses, but it's lazy and a false sense of overall security. I do 
think Microsoft is crazy if they think the need for VPN will disappear, unless 
they have another method for the stateful firewalls to snoop, monitor, and alter 
the IPSEC host to host packets (which isn't entirely impossible).


Jack Bates




More information about the NANOG mailing list