the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Apr 27 18:47:26 UTC 2010


On Tue, 27 Apr 2010 14:37:08 EDT, Jon Lewis said:

> Maybe we want end-to-end to break.
> 
> Firewalls can trivially be misconfigured such that they're little more 
> than routers, fully exposing all the hosts behind them to everything bad 
> the internet has to offer (hackers, malware looking to spread itself, 
> etc.).
> 
> At least with NAT, if someone really screws up the config, the "inside" 
> stuff is all typically on non-publicly-routed IPs, so the worst likely to 
> happen is they lose internet, but at least the internet can't directly 
> reach them.

You *do* realize that the skill level needed to misconfigure a firewall
into that state, and the skill level needed to do the exact same thing to
a firewall-NAT box, are *both* less than the skill level needed to remember
to also deploy traffic monitors so you know you screwed up, and host-based
firewalls to guard against chuckleheads screwing up the border box?

In other words, if your security scheme relies on that supposed feature of NAT,
you have *other* things you need to be working on.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100427/627abfd9/attachment.sig>


More information about the NANOG mailing list