NIST IPv6 document
jeff-kell at utc.edu
Mon Jan 10 18:22:46 CST 2011
On 1/10/2011 6:55 PM, Owen DeLong wrote:
> Nonetheless, NAT remains an opaque screen door at best.
> If the bad guy is behind the door, it helps hide him.
> If the bad guy is outside the door, the time it takes for his knife to cut through it is so small as to be meaningless.
For a "server" expected to be open to anyone, anywhere, anytime... yes.
NAT overload (many to 1), and 1-to-1 NAT with some timeout value both
serve to disconnect the potential targets from the network, absent any
static NAT or port mapping (for "servers").
RFC-1918 behind NAT insures this (notwithstanding pivot attacks).
It is a decreasing risk, given the typical user initiated compromise of
today (click here to infect your computer), but a non-zero one.
The whole IPv6 / no-NAT philosophy of "always connected and always
directly addressable" eliminates this layer.
More information about the NANOG