IPv6 NAT
Tony Hain
alh-ietf at tndh.net
Sat Nov 1 01:23:36 UTC 2003
Scott McGrath wrote:
> Agreed NAT's do not create security although many customers believe they
> do. NAT's _are_ extremely useful in hiding network topologies from casual
> inspection.
This is another bogus argument, and clearly you have not done the math on
how long it takes to scan a /64 worth of subnet space. Start by assuming a
/16 per second (which is well beyond what I have found as current
technology) and see how long 2^48 seconds is.
>
> What I usually recommend to those who need NAT is a stateful firewall in
> front of the NAT. The rationale being the NAT hides the topology and the
> stateful firewall provides the security boundary.
Obscuring the topology provides absolutely no security either. You are not
alone, as it is frequently a recommended practice, but obscurity != security
no matter how much it is sold as such.
Tony
More information about the NANOG
mailing list