Arguing against using public IP space

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When you all say NAT, are you implying PAT as well?  1 to 1 NAT really
provides no security.  But with PAT, different story.  Are there poor
implementations of PAT that don't enforce an exact port/address match for
the translation table?  If the translation table isn't at fault, are the
'helpers' that allow ftp to work passively to blame? 

Chuck

-----Original Message-----
From: Doug Barton [mailto:dougb at dougbarton.us] 
Sent: Sunday, November 13, 2011 4:49 PM
To: Phil Regnauld
Cc: nanog at nanog.org
Subject: Re: Arguing against using public IP space

On 11/13/2011 13:27, Phil Regnauld wrote:
> 	That's not exactly correct. NAT doesn't imply firewalling/filtering.
> 	To illustrate this to customers, I've mounted attacks/scans on
> 	hosts behind NAT devices, from the interconnect network immediately
> 	outside: if you can point a route with the ext ip of the NAT device
> 	as the next hop, it usually just forwards the packets...

Have you written this up anywhere? It would be absolutely awesome to be able
to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual demonstration
of why it isn't.


Doug

-- 

		"We could put the whole Internet into a book."
		"Too practical."

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]