Netflix banning HE tunnels

Owen DeLong owen at delong.com
Sun Jun 12 23:47:18 UTC 2016


> On Jun 9, 2016, at 19:57 , Ricky Beam <jfbeam at gmail.com> wrote:
> 
> On Thu, 09 Jun 2016 21:41:05 -0400, Baldur Norddahl <baldur.norddahl at gmail.com> wrote:
> 
>> Then he reads on NANOG that since he has IPv6
>> he can just connect to the camera with that.
> ...
> 
> Only to find the built-in stateful firewall blocks unsolicited inbound connections. Now he has to figure out how to manipulate ACLs. Or (more likely) he turns that "pesky firewall" off. (followed by the eventual hacking of every device he owns.)
> 
> NAT may not be security, yet it's the only thing securing billions of people.

Nope… NAT Can’t be done without stateful inspection. You can stop mangling the packet headers and leave the stateful inspection in place and still have the same exact protection.

I realize most people have a hard time separating NAT from stateful inspection because most people got them both in the same package at the same time. Further, most boxes implement NAT and stateful inspection in the same chunk of code making it look even more like a single transaction.

However, conceptually they are two different things. Stateful inspection is what actually protects you.

NAT is simply the part where you mutilate the packet header in unnatural ways.

Owen





More information about the NANOG mailing list