kauer at biplane.com.au
Sun Aug 31 21:48:24 EST 2008
On Sun, 2008-08-31 at 10:59 +0200, Kim Holburn wrote:
> > A NAT [...] essentially provides a packet filter that says
> "allow established, block everything else".
> Not true. A packet comes in saying source (internet IP:port 80)
> (target IP of NAT box: port 3300). The router has to know which
> private host to route that to. It must have some state information to
> do that.
I said "essentially". Meaning "not really, but effectively the same as".
An inbound packet that is not mapped in the NAT tables gets dropped. A
packet that is mapped in the NAT tables is forwarded to the appropriate
machine. How does a mapping happen? When the internal machine makes a
connection to the outside world. Hence "allow established". Yes, NAT
does maintain state (the mappings).
> There are also privacy considerations here. With a NAT router you are
> not advertising what's on your network to even your own ISP.
Nor does a packet filter. There is one difference: The source addresses
of your machines are known IFF they make connections to the outside
world. That makes it not one whit easier to attack them.
> A simple packet filter lets someone on the other side of the world
> know and target your (let's say) fridge with a public IP. There is no
> way public router will route a private address, so no way an external
> machine can target your fridge.
Does your fridge make connections to the outside world? If so, it's
address can be known. But it is attackable only if the packet filter
allows new connections through to it, which it presumably won't ("allow
established, block all others").
> Yes but if a NAT router fails, it's still not going to let packets in
> from a public to a private address space. A home router with a
> stateless packet filter is orders of magnitude dumber.
When things fail, they fail. How can you assume that the failure mode of
your NAT will not deliver translated packets? Failure is failure. Quite
frankly, we are talking angels on the head of a pin here. Neither NAT
nor a packet filter is remotely likely to fail in the ways you are
I mentioned nothing about a stateless packet filter, though to do what
NAT does as a side effect that's all you'd need. If someone crafts a
response to a non-existent TCP session, the receiving host will drop it
> We're talking
> about a consumer device which needs a reasonably knowledgeable
> installer. There be dangerous shoals indeed!
Just as with NAT and port forwarding. No major difference there.
However, in 99% of cases the defaults will work fine, as they do now.
> In an ideal world all operating systems would protect themselves
> against viruses and network intrusions out of the box. A good
> multilevel security approach. Unfortunately in the real world he
> majority of them don't. They run windows for a start.
Neither NAT nor packet filters can protect against viruses. Packet
filters *can* ameliorate the effects of (say) zombification, by blocking
> Many, many machines are behind various kinds of firewalls. Firewalls
> that protect their internal networks in a myriad of ways. How is this
> different to a world of NATs? Just because you have an idealogical
> preference for an open internet (which I have in many ways) doesn't
> mean that it's currently practical or that what we have now is like
Hang on - ideological? After several messages giving my clear technical
reasoning about why NAT does not provide meaningful security and is not
needed except for address multiplexing? And did I say anything about an
My point in all this has been simple: NAT does not offer any security
benefit that you can't have with a simpler, cheaper, faster packet
filter. NAT does one thing - multiplexes a single address to many. As
soon as you don't need that, you don't need NAT.
A world of NATs is very different to a world of firewalls. A firewall is
WAY more complicated than NAT. In stark contrast to NAT, a properly
configured firewall can provide genuine security benefits.
 NAT as we know it, that is. NAT as a general technique has other
uses, like mapping internal IPv6 addresses to IPv4 addresses to allow a
pure IPv6 network to talk to the IPv4 Internet.
Karl Auer (kauer at biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
GPG fingerprint: DD23 0DF3 2260 3060 7FEC 5CA8 1AF6 D9E3 CFEE 6B28
Public key at : random.sks.keyserver.penguin.de
More information about the Link