>Its not exactly a surprise, folk seem to place a higher premium on
>shooting NAT than anything else. Meanwhile the vast majority of
>residential broadband access is behind NAT.
>
>And from a security point I want to see as much NAT as possible. Without
>NAT we would be in a much worse situation security wise than we are
>today. NAT is a blunt instrument but it shuts down inbound server
>connects. And that is such a good thing from the point of view of
>stopping propagation of network worms.
(snip)
a few points. IPv6 technology really needs to be demystified.
you do not have to rewrite IP address to ensure that there's no
inbound connections. you just have to have a packet filter which
watches/drops TCP SYN or whatever alike. if you do not have enough
address space to serve your enterprise, it is a good reason to use
IPv6 :-)
even if you have NAT, or any middle system which rewrites IP address/
port number, or RFC3041 trick in your end system, your privacy is
leaked by the use of HTTP cookie and OS fingerprinting. if you do not
use HTTP cookies, you cannot buy things at Amazon. if you have RFC3041
and other tricky systems, your system will have higher likelyhood of
having implementation bugs (violation of KISS principle).
even if you stop all inbound connections, malicious parties which
controls HTTP/whatever servers can inject your end node any kind of
crufted TCP options, which might cause buffer overflow (DoS/privilege
user hijacking). the only solution (internet-wise) to this is to have
TCP relaying proxies like TIS firewall toolkit/Gauntlet. even skype
cannot go across TCP relays.
spam, phishing and botnet are independent from presense/absense of NAT.
OSes have to be secured by default, that's all. heavy use of firewall/
NAT have propagated "false sense of security" inside enterprise
network, and therefore, many of end systems within enterprise are very
vulnerable to attacks. the most common attack vector these days are
laptops owned by people like IETFers (goes in and out of enterprise)
or VPN-connected laptops, which carry worms. so, many people purchase
end node firewall systems ("fire suit" in the old terminology), but,
if your end node operating systems are secure by default, you do not
need those end node firewall systems and/or keep upgrading signature
files.
http://www.openbsd.org/papers/asiabsdcon07-network_randomness/index.html
itojun
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf