[LINK] www.ipv6.org.au/summit

[Karl Auer]

On Sun, 2008-08-31 at 13:40 +1000, Jon Seymour wrote:
> In most homes, the packet filter that protects the machines in that
> network from unsolicited inbound traffic *is* the packet filter
> implemented by the NAT device and so this is why is it undeniable that
> NAT provides a net security benefit, as compared to, say, unfiltered
> dialup connections.

As I wrote in my earlier message:
"None of this means that those NAT devices in every home are useless
from a security point of view. The "unintended consequence" that they
provide is valuable. But it isn't NAT that you need - it's the packet
filtering side effect, and you can have that *without* NAT."

In other words, I agree with you that those devices have a security
benefit. But it's not the NAT that we need, at least not from a security
point of view.

By way of analogy, I keep lots of stuff on top of my front-loading
washing machine - detergents, pegs and so on. However, the reason I have
the washing machine is to wash things. The storage space on top of it is
a coincidental side effect. A shelf could do the job better and would be
simpler and cheaper. As long as the machine is there, it makes sense to
store stuff on it; it does provide some small storage benefit. NAT
provides a security benefit in the same way that a front-loading washing
machine provides a storage benefit.

Perhaps my point would be better stated as "NAT provides no security
benefit that cannot be obtained from a simple packet filter".

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: DD23 0DF3 2260 3060 7FEC 5CA8 1AF6 D9E3 CFEE 6B28
Public key at  : random.sks.keyserver.penguin.de