> > > > Basically, a NAT is just a simple and general-purpose way > to implement > > a proxy. > > It does play the role of a proxy nobody has ordered and nobody does > even no it exists. So it does breake security by providing a > proxy that should bo be there in the first place. > I don't understand what you mean here? NAT is going to have to be the default gateway somewhere along the route path so whether manually configured on the client, done via dhcp, or configured on a router, how is it something that nobody has ordered? Also it breaks security for whom (I can see how it makes it tougher for the destination, but it sounds like you are inferring it breaks security for the network using the NAT?). I have comments/questions about your other remarks but I want to first make sure we are talking about the same thing. Thanks, Nick > > > > If you define "more secure" as "less likely that random > packets will be > > delivered": sure, put in as much stuff that makes everything less > > transparent as you can. > > In fact it provides a loophole destroying every attept to > security from > end to end. > > > > > Obviously this won't help against many popular attack > vectors which > > prey upon the gullibility of the typical user, which mostly > happen over > > HTTP or through mail, which don't need a transparent communication > > channel. > > But it provides a great way to break into any established secure link. > > Just wait for them to exchange passwords. Break the connection and do > your evil. Dont care any longer and let the connection drop to the > floor. NAT and windows will cope and nobody will ever see a trace in > their logs. > > > > > And please don't expect the IETF to make its protocols work > through > > your multiple layers of NAT and proxies. > > > > NAT was never designed for security. NAT was designed as a loophole. > That loophole has improved greatly over time. > > All bad things said I would like to mention that a windows computer > wont stay long in the internet if you dont hide them behind NAT > > It really does not make a difference wether you proxy on the NAT or > somewhere else except when you proxy after the NAT you proxy after > a proxy. You can replace several proxies by a tunnel through a > low speed data line. In fact that will break SSH wordbook attacks. > Just delay everything longer than the hacker probably waits > > Regards, > Peter Dambier > > > -- > Peter and Karin Dambier > Public-Root > Graeffstrasse 14 > D-64646 Heppenheim > +49-6252-671788 (Telekom) > +49-179-108-3978 (O2 Genion) > +49-6252-750308 (VoIP: sipgate.de) > +1-360-448-1275 (VoIP: freeworldialup.com) > mail: peter@xxxxxxxxxxxxxxxx > http://iason.site.voila.fr > http://www.kokoom.com/iason > > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www1.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf