quietly....
Jay Ashworth
jra at baylink.com
Thu Feb 3 05:18:43 UTC 2011
----- Original Message -----
> From: "Jimmy Hess" <mysidia at gmail.com>
> There's no reason for the internet community to re-design every
> protocol to allow and
> try to function in a NAT environment, for the benefit of a small
> number of edge networks,
> who want a private castle with hosts on their network not connected
> to the internet,
> for no reason that has been adequately justified.
Justify, yourself in turn, "small number". My personal estimate of the
number of NATted edge networks is well north of 75%, on a network count
basis.
> No one has ever provided me with a serviceable explanation of why a
> stateful firewall
> is an insufficient method for implementing any desired network policy,
> with
> regards to limiting accepted traffic to outbound connections for nodes
> on an edge network.
Complexity of the configuration vastly increases the size of the
attack surface: in a NATted edge network, *no packets can come in
unless I explicitly configure for them*; there are any number of
reasons why an equivalently simply assertion cannot be made concerning
the configuration of firewalls, of whatever type or construction.
In a firewall, you are *fighting* the default "route this packet"
design; in a NATgate, you have to consciously throw the packets
over the moat.
I've never been clear why this isn't intiutively obvious to the people
with whom I have to have this argument.
Cheers,
-- jra
More information about the NANOG
mailing list