Security gain from NAT (was: Re: Cool IPv6 Stuff)

Robert Bonomi bonomi at
Mon Jun 4 19:45:27 UTC 2007

> From owner-nanog at  Mon Jun  4 13:54:55 2007
> Subject: Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
> Date: Mon, 4 Jun 2007 14:47:06 -0400
> On 4-Jun-2007, at 14:32, Jim Shankland wrote:
> > Shall I do the experiment again where I set up a Linux box
> > at an RFC1918 address, behind a NAT device, publish the root
> > password of the Linux box and its RFC1918 address, and invite
> > all comers to prove me wrong by showing evidence that they've
> > successfully logged into the Linux box?
> Perhaps you should run a corresponding experiment whereby you set up  
> a linux box with a globally-unique address, put it behind a firewall  
> which blocks all incoming traffic to that box, and issue a similar  
> invitation.
> Do you think the results will be different?

Consider the possible *FAILURE* modes.
  e.g. (1) where somebody brings up _another_ path between the LAN that that 
           box is onn, and the public internet, with no translations or other
           protections whatsoever.	 
       (2) where the 'protection box' "fails open" -- e.g. passes all traffic
           without modification.

NAT/PAT is 'belt and suspenders', but it *does* provide an additional layer of
protection, _if_the_primary_protection_fails_.

That 'additional protection' may or may not be 'significant', depending on
one's viewpoint.

More information about the NANOG mailing list