Arguing against using public IP space

Mark Andrews marka at
Tue Nov 15 21:07:19 CST 2011

In message <CAP-guGXXM_Dci6QrzR2AQmFOnKh0AFs2XdVVY-H-MPDXcRrLBw at>
, William Herrin writes:
> On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews <marka at> wrote:
> > Given that most NATs only use a small set of address on the inside
> > it is actually feasible to probe through a NAT using LSR.
> > Most attacks don't do this as there are lots of lower hanging fruit
> Mark,
> My car can be slim-jimmed. Yet the lock is sufficiently operative in
> the security process that the two times the vehicle has been broken in
> to the vagrant put a rock through the window instead of jimmying the
> lock.
> That's what it MEANS when you say that there's lower hanging fruit to
> be found elsewhere. It means that the feature you're describing is
> operative in the process of obstructing an attacker.
> As an aside to the debate, I boldly suggest that any firewall vendor
> which actually implements LSR or any of the IP source route
> functionality anywhere in their code deserves to be tarred and
> feathered. The security implications of source routing have been long
> understood. Code which implements source routing has no business
> existing in a commercial firewall product where it could accidentally
> be called. Please, by all means, take this opportunity to out any such
> errors which you can document.


A NAT mangles packets.  A firewall provides protection.  You can
combine the two but expecting one to do the job of the other is
just wrong and doesn't work.

> Regards,
> Bill Herrin
> --=20
> William D. Herrin ................ herrin at bill at
> 3005 Crane Dr. ...................... Web: <>
> Falls Church, VA 22042-3004
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list