Security gain from NAT

James R. Cutler james.cutler at
Tue Jun 5 12:43:17 UTC 2007

Maybe one should consider the customer viewpoint and not just 
semantic twiddle. When I install one of those little and inexpensive 
boxes it is for several reasons, not just security. However, the "I 
hear you knocking, but you can't come in." is invaluable to keep out 
probes of popular Microsoft points (ports) of vulnerability. In a 
very practical sense this is added security for the end system.  Yes, 
it is from the Stateful Inspection and not, per se, from address or 
port translation.  That really does not matter because it comes as a 
package in those cute little boxes.

Regarding efficacy of NAT: Have you considered what the typical ISP 
policy on address assignment and routing will be? Will Comcast 
announce routes to all my end system addresses to the world? Will 
Comcast even allow for more than one address per connection? 
Substitute your vendor of choice here.  Be it BT or whatever, until 
you assure me that my ISP will not interfere with my local SOHO or 
home network or increase my rate per system added, I will encourage 
multiplexing of addresses, regardless of IPv4, IPv6, landline 
telephone number, PO Box, or whatever.

Listen to Ahnberg and Dillon. What they say makes much sense and 
avoids the semantic quibbling that has consumed too much of NANOG 
mailing list bandwidth.  We already know that "All dragons are 
scotsmen, but not all scotsmen are dragons."

James R. Cutler
james.cutler at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list