Security gain from NAT (was: Re: Cool IPv6 Stuff)

David Schwartz davids at
Tue Jun 5 07:28:14 UTC 2007

Combined responses to save bandwidth and hassle (and number of times you
have to press 'd'):


> Just because it's behind NAT, does not mean it's unreahcable from the

Okay, so exactly how many times do you think we have to say in this thread
that by "NAT/PAT", we mean NAT/PAT as typically implemented in the very
cheapest routers in their default configuration?


> I can do the same without NAT/PAT.  Period.  The benefits are from
> "disallow new inbound by default", *not* address muxing.

That you can do something without NAT/PAT tells you nothing about what
NAT/PAT does. Why state an uncontested unrelated point nobody disagrees with
when there is an actual live disagreement about what security NAT/PAT does
or doesn't provide? (Hint: NAT/PAT, as discussed here, includes "disallow
new inbound by default").


> Can you give us technical details about how you're doing NAT/PAT
> without any
> form of stateful packet inspection?  I'm sure we'd all be most interested.

> If it turns out that you are, in fact, using stateful inspection, then
> you've got that lock and deadbolt installed, but haven't noticed it behind
> the screen door.

Ahh, right. You can't use a car to get to work, you need a frame, an engine,
an electrical system, and a starter. So that means cars aren't means of

> Which means that -- tada! -- NAT/PAT isn't giving you anything that the
> stateful inspection firewall isn't.

That's wonderful, but that's not even remotely respondive to what I'm
saying. I'm responding to Owen's claim that NAT/PAT doesn't provide any
security, not that it doesn't provide you any security that a stateful
inspection firewall doesn't or can't.

> > Are there things most stateful inspection firewalls can do that
> > NAT/PAT does
> > not do? Definitely. Are those things valuable and in some cases vital?
> > Definitely. So why lie and distory what NAT/PAT actually does
> > do? A large
> > class of security vulnerabilities require the attacker to reach
> > out to the
> > machine first, and NAT/PAT stops those attacks completely.

> As does stateful inspection.

Wonderful, but when there's an actual live disagreement, injecting an
unrelated point that nobody disagrees with isn't helpful. The issue is
whether or not NAT/PAT provides any security. If stateful inspection is a
necessary part of NAT/PAT, and stateful inspection provides some security,
the NAT/PAT provides some security. This is so for the same reason a car
provides all the benefits of an engine, a fuel tank, a seat belt, and so on.

You cannot establish that a car provides no transportation features by
showing that it provides no transportation features not provided by an
engine, a gas tank, a transmission, and so on. Things are the sum of their


>In order to make (dynamic) NAT work you need to implement SI- that's what
>protects you. What does NAT get you above and beyond the SI you have
>already imeplmented?

What does a car get you above and beyond the engine, transmission, starter,
and so on? It gets you all those things in one convenient package that you
just buy, start, and drive. NAT provides all the advantages its component
parts provide. Really.


>Not true.  In order to be behind PAT, they are behind stateful
>You cannot have PAT without stateful inspection.  It simply cannot work.
>However, you _CAN_ have stateful inspection without PAT and it provides
>every bit as much security as it does with PAT.

1) You cannot have PAT without stateful inspection, that is, stateful
inspection is a part of the PAT implementations we are talking about here.

2) Stateful inspection provides security benefits.

Therefore, PAT provides security benefits.

>Given the data from my previous message and the fact that you are
>calling NAT what is really NAT/PAT+SI, do you now realize that the SI
>of NAT/PAT+SI is what provides the security, or, do you still have the
>mistaken impression that NAT/PAT somehow contributes to security?

This is absolute complete nonsense. Are you next going to claim that what I
call a car is actually car/engine and that since it's the engine that
provides the motion, cars don't provide motion?


> No one is saying they won't. What people are arguing is that NAT doesn't
> get you anything more than a stateful inspection firewall while at the
> same time breaking a whole lot of other things and introducing unnecessary
> complexity.

Yes, people are saying they won't. For example, Owen said:

"I posit that a screen door does not provide any security. A lock and
deadbolt provide some security.  NAT/PAT is a screen door.
Not having public addresses is a screen door.  A stateful inspection
firewall is a lock and deadbolt."

What part of this analogy is comparable with NAT always including all the
benefits of SI? You think Owen was really trying to say that NAT/PAT is a
screen door that always includes a lock and deadbolt that somehow makes the
screen door keep intruders out?!

Owen was, if not saying, definitely implying that a NAT/PAT implementation
provided the security of a screen door and that SI provided a lock and
deadbolt, that is, that a NAT/PAT implementation would not be as secure as
an SI firewall. This is wholly incompatible with his new claim that NAT/PAT
always includes SI and therefore an actual NAT/PAT device must always
provide the security of SI.


More information about the NANOG mailing list