Security gain from NAT (was: Re: Cool IPv6 Stuff)

Donald Stahl don at
Mon Jun 4 21:45:42 UTC 2007

> Sorry, Owen, but your argument is ridiculous. The original statement was
> "[t]here's no security gain from not having real IPs on machines". If
> someone said, "there's no security gain from locking your doors", would you
> refute it by arguing that there's no security gain from locking your doors
> that you don't get from posting armed guards round the clock?
You're argument is equally ridiculous because in order to work the NAT box 
has to do stateful inspection anyway!

A better statement would be:
"there's no security gain from locking your doors" (NAT), if you have 
already posted "armed guards round the clock" (Stateful Inspection)

NAT provides protection in the case where you have a stateful inspection 
firewall that fails open- something that no serious firewall I have ever 
seen does. If they aren't doing stateful inspection- then they aren't 
routing at all (or certainly shouldn't be).


More information about the NANOG mailing list