[LINK] www.ipv6.org.au/summit

Adrian Chadd adrian at creative.net.au
Sun Aug 31 12:37:00 AEST 2008


On Sun, Aug 31, 2008, Karl Auer wrote:

> NAT can also help protect internal services that are not port-forwarded
> from the outside world - shares on home computers for example, or
> services accidentally left open. Again, it simply blocks connection
> attempts.
> 
> BUT, and this is the key point, it isn't NAT that provides this help.
> It's that "unintended consequence". Both these advantages can be had,
> just as easily and with far less performance loss, through simple packet
> filtering. "Allow established back, block everything else". NAT is not
> needed.

Stateless packet filtering won't work in every instance. Sorry, the 90's
called, they want their sensible protocol designers back.

The internet didn't begin with a model of "clients connect to servers only";
current popular protocols (P2P, for example, and some gaming stuff) want
direct client -> client connectivity. Suddenly your edge device needs to
have a way to punch holes in it (UPnP, for example, or even SOCKS! eww.)
to allow incoming requests, and -that- suddenly stops being stateless.

As I've ranted before, you'll want stateful packet filtering and all
the crazy behaviour that'll entail. Thats at least half of the evilness
inherent in "correct" NAT right there. Don't think for a moment that
the low-end CPE vendors will code up this stuff in a sensible fashion;
they'll simply do the same hacks they've done with their current
NAT protocol awareness to make things "work".




Adrian




More information about the Link mailing list