[LINK] www.ipv6.org.au/summit
Saliya Wimalaratne
saliya at hinet.net.au
Tue Sep 2 09:53:11 AEST 2008
On Mon, Sep 01, 2008 at 01:41:11AM +1000, Karl Auer wrote:
>
> I just wanted to challenge the reigning perception that NAT is somehow a
> security benefit. It's not. We can have exactly the same level of
> security without NAT using the most basic of packet filters. In fact,
> they would be cheaper, faster and more reliable. If IPv6 banishes NAT,
> no-one's security will be any the worse.
Hey Karl,
When a NATed host connects to an external host the only information
revealed to the external host or to any intermediary beyond the NAT
boundary is that the NATing host is connecting. No external host knows
how many hosts are behind the NAT, what they are, or how to reach them.
Hostiles _might_ be able to reach them by compromising the NAT host;
but they won't know till they do that. A lot of effort to go to for
what might be worthless (there may be no hosts to attack behind the NAT).
Contrast this with the information obtainable from real, routable addresses,
which reveal their presence with every connection they make. Evil Tim,
there are 600 bank hosts behind packet filter A, or an unknown
number of hosts behind router B. For $500, which one will you attack first?
The less information revealed about any network to potentially hostile
parties, the better. I'd call this a tangible benefit; and use this benefit
to challenge your challenge :)
Regards,
Saliya
More information about the Link
mailing list