Failure modes: NAT vs SPI

Iljitsch van Beijnum iljitsch at muada.com
Thu Feb 3 13:47:48 CST 2011


On 3 feb 2011, at 20:09, Jay Ashworth wrote:

> That's the expansion of "fails safe".

You conviently overlook my earlier message about this.

But sure, let's assume that at some point, some packets from the outside manage to pass through to the inside in the IPv6 case. So how does anyone know where to send these packets in the first place? And if they do, what bad effects exactly do packets coming from the outside have? Ping of death has been fixed a loooong time ago.

And you assume that NATs block packets very well. They don't. First of all, there's uPNP IGD and NAT-PMP. Depending on the type of NAT, the bindings are quite loose and allow lots of additional packets that don't belong to the NATed sessions in. After all, NATs only break incoming sessions by accident. Firewalls do this on purpose, so they do a much better job.

If you really want to be safe, you should completely disconnect your network. Or at the very least not run any code, such as javascript and java, that comes in over the network. This is one of the biggest sources of real-world infections. Incoming packets haven't been since about the slammer worm era.



More information about the NANOG mailing list