Only 5x IPv4 /8 remaining at IANA
Owen DeLong
owen at delong.com
Mon Oct 18 19:05:16 UTC 2010
On Oct 18, 2010, at 12:26 PM, Johnny Eriksson wrote:
> "Tony Hain" <alh-ietf at tndh.net> wrote:
>
>> Actually nat does something for security, it decimates it. Any 'real'
>> security system (physical, technology, ...) includes some form of audit
>> trail. NAT explicitly breaks any form of audit trail, unless you are the one
>> operating the header mangling device. Given that there is no limit to the
>> number of nat devices along a path, there can be no limit to the number of
>> people operating them. This means there is no audit trail, and therefore NO
>> SECURITY.
>
> So an audit trail implies security? I don't agree. It may make post-mortem
> analysis easier, thou.
>
An audit trail improves security because post-mortem analysis of breaches
is an important tool in improving security.
> Does end-to-end crypto break security? Which security? The security of
> the endpoints or the security of someone else who cannot now audit the
> communication in question fully?
>
No, end-to-end crypto does not, by itself, break security. Arguably, end-to-end
crypto MAY bypass security in some environments, but, those environments
do have controls available to disable end-to-end crypto.
Owen
More information about the NANOG
mailing list