NIST IPv6 document

Jeff Kell jeff-kell at utc.edu
Mon Jan 10 18:22:46 CST 2011


On 1/10/2011 6:55 PM, Owen DeLong wrote:
> Nonetheless, NAT remains an opaque screen door at best.
>
> If the bad guy is behind the door, it helps hide him.
>
> If the bad guy is outside the door, the time it takes for his knife to cut through it is so small as to be meaningless.

For a "server" expected to be open to anyone, anywhere, anytime... yes. 
Otherwise no.

NAT overload (many to 1), and 1-to-1 NAT with some timeout value both
serve to disconnect the potential targets from the network, absent any
static NAT or port mapping (for "servers").

RFC-1918 behind NAT insures this (notwithstanding pivot attacks).

It is a decreasing risk, given the typical user initiated compromise of
today (click here to infect your computer), but a non-zero one.

The whole IPv6 / no-NAT philosophy of "always connected and always
directly addressable" eliminates this layer.

Jeff







More information about the NANOG mailing list