Re: IPv4 flag day

[William Herrin via NANOG <nanog () lists nanog org>]

On Thu, Jun 18, 2026 at 12:55 PM Arie Vayner <ariev () vayner net> wrote:
> Unless I'm missing something, the pwnat mechanism will actually work
> through any stateful packet inspection (be it NAT or just a firewall) that
> allows Traceroute to work.


Hi Arie,

You're not missing anything. It's a novel mechanism for escalating a
beachhead, but Gary hasn't explained why it wouldn't work just as well
with any other firewall that allows internal machines to initiate
outbound connections by default. Everybody needs ICMP destination
unreachable messages from arbitrary sources to reach back to the
origin. Path MTU discovery fails if they do not. With any kind of
firewall. ICMP Time exceeded is not as crucial but traceroute breaks
without it so most firewalls propagate it inward too.

Interesting as it is, the thought experiment fails to support Gary's
claim that NAT specifically makes a network vulnerable.

Regards,
Bill Herrin

-- 
For hire. https://bill.herrin.us/resume/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/4RW6QTMWCWBJWKQHGSIWXQERC7OUQZDL/