[LINK] www.ipv6.org.au/summit

Saliya Wimalaratne saliya at hinet.net.au
Tue Sep 2 20:41:49 AEST 2008 

On Tue, Sep 02, 2008 at 11:01:05AM +1000, Karl Auer wrote:
> On Tue, 2008-09-02 at 09:53 +1000, Saliya Wimalaratne wrote:
> > The less information revealed about any network to potentially hostile
> > parties, the better. I'd call this a tangible benefit; and use this benefit
> > to challenge your challenge :) 
> 
> Yes, it is generally true that "the less information revealed about any
> network to potentially hostile parties, the better". But sometimes the
> amount of "better" is so small as to be irrelevant. And sometimes the
> "better" comes at a cost which may outweigh the benefit. NAT has some
> pretty serious downsides.

Hey Karl,

Sure. I'm not arguing that; I'm arguing that your 'NAT-has-no-merit'
position (I think that's a valid paraphrase, correct me if I'm wrong) 
has at least one valid counter-argument.

Do NAT's costs outweigh its benefits? Possibly, and/or probably, depending
on what's more important to you. 

> The simplest of packet filters can make it impossible for me to contact
> a machine in your network, even if I do know its address.
> 
> Hiding your addresses is basically another form of security through
> obscurity. The addresses of your hosts really don't matter; what counts

Perhaps, like putting jewellery where it's not visible from the outside of 
your house; or the invisible-to-radar fighter jet, this type of security 
has some value?

"Security through obscurity" can be a problem _if_ it's all that's relied on.

Encouraging malicious or otherwise folks not to look at you has its place.

> is how well they are protected and how well they protect themselves. The
> simplest of packet filters can make it impossible for me to contact a
> machine in your network, even if I do know its address.

Sure. You don't need to tell me twice :) 

Another point that may be of interest is that NAT, by its nature, is 
'fail-closed'; whereas a packet filter would be fail-open. Of course 
there are ways you could make a packet filter fail-closed (it's just 
bits and programming :)  but it's not inherent in the design. 

Don't get me wrong. I don't think that NAT is preferable to IPv6. I just
think that NAT _does_ offer tangible benefits to security; and I hope
I've illustrated at least one (maybe two!) ways that it could be superior to
a simple packet filter. 

Regards,

Saliya

More information about the Link mailing list