Arguing against using public IP space

Dave Hart davehart at gmail.com
Wed Nov 16 23:56:07 CST 2011


On Wed, Nov 16, 2011 at 20:38, Ray Soucy <rps at maine.edu> wrote:
> I would go as far as to argue that the false sense of security
> provided by NAT is more dangerous than any current threat that NAT
> alone would prevent.

Agreed, and I don't think that's going far at all.  My opinion is
_both_ stateful firewalls and NATs have been responsible for providing
cover for those who fail to secure their endpoints.  Yes, dropping a
choke point in front of X hosts is X times easier than securing the X
hosts.  No, it didn't secure X hosts.

"Outside is dangerous, inside is trusted" is the root of much current
evil.  Breaking end-to-end and encouraging everything that needs it to
jump through ugly hoops such as UDP NAT traversal or carrying all
sorts of non-HTTP over 80 and 443 has made it harder to secure
networks, not easier.

Cheers,
Dave Hart



More information about the NANOG mailing list