Security gain from NAT (was: Re: Cool IPv6 Stuff)

Colm MacCarthaigh colm at
Mon Jun 4 19:12:45 UTC 2007

On Mon, Jun 04, 2007 at 11:47:15AM -0700, Owen DeLong wrote:
> >*No* security gain?  No protection against port scans from Bucharest?
> >No protection for a machine that is used in practice only on the
> >local, office LAN?  Or to access a single, corporate Web site?
> >
> Correct.  There's nothing you get from NAT in that respect that you do
> not get from good stateful inspection firewalls.  NONE whatsoever.

Argueably the instant hit of IP source anononymity you get with NAT is a
security benefit (from the point of view of the user). Of course these
days there all sorts of fragment and timing analyses that will allow you
to determine origin commonality behind NAT, but it's nowhere near as
convenient as a public IP address.

A non-NAT stateful firewall can't simulate that, you need high-rotation
dhcp or similar to get close. Although IPv6 privacy addresses rock :-)

The argument can go either way, you can spin it as a benefit for the
network operator ("wow, user activity and problems are now more readily
identifiable and trackable") or you can see it as an organisational
privacy issue ("crap, now macrumors can tell that the CEO follows them

NAT is still evil though, the problems it causes operationally are
just plain not worth it.

Colm MacCárthaigh                        Public Key: colm+pgp at

More information about the NANOG mailing list