Failure modes: NAT vs SPI
Iljitsch van Beijnum
iljitsch at muada.com
Thu Feb 3 13:47:48 CST 2011
On 3 feb 2011, at 20:09, Jay Ashworth wrote:
> That's the expansion of "fails safe".
You conviently overlook my earlier message about this.
But sure, let's assume that at some point, some packets from the outside manage to pass through to the inside in the IPv6 case. So how does anyone know where to send these packets in the first place? And if they do, what bad effects exactly do packets coming from the outside have? Ping of death has been fixed a loooong time ago.
And you assume that NATs block packets very well. They don't. First of all, there's uPNP IGD and NAT-PMP. Depending on the type of NAT, the bindings are quite loose and allow lots of additional packets that don't belong to the NATed sessions in. After all, NATs only break incoming sessions by accident. Firewalls do this on purpose, so they do a much better job.
More information about the NANOG