Re: [arin-announce] IPv4 Address Space (fwd)

[David Raistrick <drais () wow atlasta net>]

On Wed, 29 Oct 2003, Scott McGrath wrote:

> Life would be much simpler without NAT howver there are non-computer
> devices which use the internet to get updates for their firmware that most
> of us would prefer not to be globally reachable due to the human error
> factor i.e. "Oops forgot a rule to protect X".
<snip>
> A good example of this is building control systems which get firmware
> updates via FTP!!!! from their maker.  Usually there is no manual system
> for updating them offline and allowing them to be disconnected from the
> internet  as in my opinion they _should_ be.

NAT is certianly not the only way to restrict this sort of access.  For
your ship example (snipped) an isolated network is best.

For your building control systems a firewall preventing inbound access,
instead of a NAT device, should be your control of choice.


> This class of devices should not have a globally routable address
> because in many cases security on them is less than an afterthought (short
> fixed passwords no support for secure protocols, etc)

routable =! reachable.  Restrict inbound access to your networks as
needed, with or without NAT, IPv4 or IPv6.   For legacy IPv4 networks that
haven't been renumbered to IPv6, use a 4to6 gateway.

You seem to be arguing that NAT is the only way to prevent inbound access.
While it's true that most commercial IPv4 firewalls bundle NAT with packet
filtering, the NAT is not required..and less-so with IPv6.

...david

---
david raistrick
drais () atlasta net            http://www.expita.com/nomime.html