IPv6 NAT

Patrick W. Gilmore patrick at ianai.net
Fri Oct 31 16:43:40 UTC 2003


-- On Friday, October 31, 2003 08:03 -0800
-- Owen DeLong <owen at delong.com> supposedly wrote:

> There is NO security benefit to NAT/PAT/NAPT.

Disagree.

None of the scanning / infecting viruses could get past a $50 NAT/PAT 
device which Joe User brings home and turns on without configuring.

Do not talk about "if they statically NAT...".  Punching holes in stateful 
firewalls will cause just as much damage.

> There is a security benefit
> to stateful inspection.

Agreed.  And I doubt anyone on this list would say differently.

> NAT is harmful to many protocols.  Stateful
> inspection is not.

Possibly.  But Joe User will never use those "many protocols".  Plus the 
overwhelming majority of protocols are not harmed by NAT.

I would bet a statistically insignificant number of packets on the Internet 
(many places to the right of the decimal) are part of those protocols.

This does not mean we should NAT everything, since I use some of those 
protocols.  But if every Joe User had a DLink NAT box in front of his 
Winbloze box, the Internet would be a safer place.  And you know it.

-- 
TTFN,
patrick



More information about the NANOG mailing list