nanog mailing list archives

RE: IPv6 NAT

From: "Tony Hain" <alh-ietf () tndh net>
Date: Fri, 31 Oct 2003 17:23:36 -0800


Scott McGrath wrote:

Agreed NAT's do not create security although many customers believe they
do.  NAT's _are_ extremely useful in hiding network topologies from casual
inspection.


This is another bogus argument, and clearly you have not done the math on
how long it takes to scan a /64 worth of subnet space. Start by assuming a
/16 per second (which is well beyond what I have found as current
technology) and see how long 2^48 seconds is.


What I usually recommend to those who need NAT is a stateful firewall in
front of the NAT.  The rationale being the NAT hides the topology and the
stateful firewall provides the security boundary.


Obscuring the topology provides absolutely no security either. You are not
alone, as it is frequently a recommended practice, but obscurity != security
no matter how much it is sold as such.

Tony

Current thread:

Re: IPv6 NAT Michael . Dillon (Oct 30)
- Re: IPv6 NAT Owen DeLong (Oct 30)
- Re: IPv6 NAT Stephen Sprunk (Oct 30)
  - Re: IPv6 NAT Scott McGrath (Oct 31)
    - RE: IPv6 NAT Tony Hain (Oct 31)
- <Possible follow-ups>
- RE: IPv6 NAT Kuhtz, Christian (Oct 30)
  - RE: IPv6 NAT Tony Hain (Oct 30)
    - Re: IPv6 NAT Stephen Sprunk (Oct 31)
    - Re: IPv6 NAT Owen DeLong (Oct 31)
    - Re: IPv6 NAT Patrick W. Gilmore (Oct 31)
    - Re: IPv6 NAT Joe Abley (Oct 31)
    - Re: IPv6 NAT Eliot Lear (Oct 31)
    - Re: IPv6 NAT Owen DeLong (Oct 31)
    - Re: IPv6 NAT Paul Timmins (Oct 31)
- Re: Re: IPv6 NAT Narelle (Oct 30)

(Thread continues...)