Is NAT can provide some kind of protection?

Brian Keefer chort at smtps.net
Sat Jan 15 15:16:14 CST 2011


On Jan 12, 2011, at 9:21 AM, George Bonser wrote:

>> 
>> I'd eat a hat if a vendor didn't implement a PAT equivalent. It's
>> demanded too much. There is money for it, so it will be there.
>> 
>> 
>> Jack
> 
> Yeah, I think you are right.  But in really thinking about it, I wonder
> why.  The whole point of PAT was address conservation.  You don't need
> that with v6.  All you need to do with v6 is basically have what amounts
> to a firewall in transparent mode in the line and doesn't let a packet
> in (except where explicitly configure to) unless it is associated with a
> packet that went out.
> 
> PAT makes little sense to me for v6, but I suspect you are correct.  In
> addition, we are putting the "fire suit" on each host in addition to the
> firewall. Kernel firewall rules on each host for the *nix boxen.  

Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6:
1.)  Allows you to redirect a privileged port (on UNIX) to a non-privileged port.  For daemons that don't implement some form of privilege revoking after binding to a low port (and/or aren't allowed to run as root), this is very useful.  It's much easier to have a firewall redirect than to implement robust privilege revoking.  Example: PAT 25/tcp -> 2525/tcp.

2.)  Allows you to redirect multiple ports to a single one, to support legacy implementations.  Suppose your application used to require separate ports for different types of requests, but now is able to multiplex them.  The new daemon only listens on one port, but other applications may not have updated their configuration.  Example:  PAT 4443/tcp -> 443/tcp & PAT 8443/tcp -> 443/tcp.

Basically the idea is that implementing PAT for IPv6 allows smoother transition for apps that made use of it in IPv4, thus accelerating the adoption of IPv6.

--
bk





More information about the NANOG mailing list