Is NAT can provide some kind of protection?

• Previous message (by thread): Is NAT can provide some kind of protection?
• Next message (by thread): Is NAT can provide some kind of protection?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 15, 2011, at 1:16 PM, Brian Keefer wrote:

> On Jan 12, 2011, at 9:21 AM, George Bonser wrote:
> 
>>> 
>>> I'd eat a hat if a vendor didn't implement a PAT equivalent. It's
>>> demanded too much. There is money for it, so it will be there.
>>> 
>>> 
>>> Jack
>> 
>> Yeah, I think you are right.  But in really thinking about it, I wonder
>> why.  The whole point of PAT was address conservation.  You don't need
>> that with v6.  All you need to do with v6 is basically have what amounts
>> to a firewall in transparent mode in the line and doesn't let a packet
>> in (except where explicitly configure to) unless it is associated with a
>> packet that went out.
>> 
>> PAT makes little sense to me for v6, but I suspect you are correct.  In
>> addition, we are putting the "fire suit" on each host in addition to the
>> firewall. Kernel firewall rules on each host for the *nix boxen.  
> 
> Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6:
> 1.)  Allows you to redirect a privileged port (on UNIX) to a non-privileged port.  For daemons that don't implement some form of privilege revoking after binding to a low port (and/or aren't allowed to run as root), this is very useful.  It's much easier to have a firewall redirect than to implement robust privilege revoking.  Example: PAT 25/tcp -> 2525/tcp.
> 
Actually, that's just port rewriting which is mostly harmless. PAT refers, instead, to a stateful
translation which is most definitely not harmless.

> 2.)  Allows you to redirect multiple ports to a single one, to support legacy implementations.  Suppose your application used to require separate ports for different types of requests, but now is able to multiplex them.  The new daemon only listens on one port, but other applications may not have updated their configuration.  Example:  PAT 4443/tcp -> 443/tcp & PAT 8443/tcp -> 443/tcp.
> 
That's a pretty ugly situation, but, it would require a stateful mechanism to address it. I think it is much cleaner to have the daemon listen on the multiple ports.

> Basically the idea is that implementing PAT for IPv6 allows smoother transition for apps that made use of it in IPv4, thus accelerating the adoption of IPv6.
> 
I think the lack of IPv4 resources will soon serve as sufficient acceleration of IPv6 adoption.

Owen

• Previous message (by thread): Is NAT can provide some kind of protection?
• Next message (by thread): Is NAT can provide some kind of protection?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]