Arguing against using public IP space

Doug Barton dougb at dougbarton.us
Sun Nov 13 21:48:32 UTC 2011


On 11/13/2011 13:27, Phil Regnauld wrote:
> 	That's not exactly correct. NAT doesn't imply firewalling/filtering.
> 	To illustrate this to customers, I've mounted attacks/scans on
> 	hosts behind NAT devices, from the interconnect network immediately
> 	outside: if you can point a route with the ext ip of the NAT device
> 	as the next hop, it usually just forwards the packets...

Have you written this up anywhere? It would be absolutely awesome to be
able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual
demonstration of why it isn't.


Doug

-- 

		"We could put the whole Internet into a book."
		"Too practical."

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/





More information about the NANOG mailing list