Arguing against using public IP space
Phil Regnauld
regnauld at nsrc.org
Sun Nov 13 22:46:31 UTC 2011
Doug Barton (dougb) writes:
> On 11/13/2011 13:27, Phil Regnauld wrote:
> > That's not exactly correct. NAT doesn't imply firewalling/filtering.
> > To illustrate this to customers, I've mounted attacks/scans on
> > hosts behind NAT devices, from the interconnect network immediately
> > outside: if you can point a route with the ext ip of the NAT device
> > as the next hop, it usually just forwards the packets...
>
> Have you written this up anywhere? It would be absolutely awesome to be
> able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual
> demonstration of why it isn't.
Nope, but I could do a quick tut on how to do this against a natd/pf/
iptables or IOS with IP overload.
Arguably in *most* cases your CPE or whatever is NATing is behind
some upstream device doing ingress filtering, so you still need to
be compromising a device fairly close to the target network.
P.
More information about the NANOG
mailing list