> As the administrator of several small networks, it is quite simple. By > re-writing the address, the NAT is a defacto default deny. I have a lot > more trust in the simplicity of a basic NAT in a consumer firewall then I > do in any firewall which has to examine each packet for conformance to > complex policy rules. The re-writing of the address has nothing to do with the security benefit of the box. Looking the incoming packet up in a state table and forwarding (with re-write) the packet if a match is found otherwise dropping / icmping it is what provides the security. Otherwise I could just loose source route around the NAT box. It is much better to have a box that is designed to provide security than it is to have a box that provides security as a side effect. I'm sure you will find that there are NAT boxes that you can use the loose source route trick to bypass any perceived security benefits. NAT boxes have different design goals to firewalls. They are designed to translate addreses. LSR is also designed to translate addreses. LSR and NAT are complementry technologies. One is end initiated the other is done in the middle of the network. > But, this misses the point I see in Phillips discussion... I read his > ultimate proposal as: > a. Stop bashing NAT, it provides value in the current network and > has prevented a total meltdown which would have happened if every > early OS were directly attached to the internet People arn't bashing NAT. They are saying that NAT is not a appropriate for solution in a IPv6 world. It adds a lot more complexity than just a stateful firewall. > b. REPLACE NAT with a default deny infrastructure ... more than > just a single FW choke point. > > On Mon, 2 Jul 2007, Melinda Shore wrote: > > > On 7/2/07 11:14 AM, "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx> wrote: > > > There is no other device that can provide me with a lightweight firewall > for > > > $50. > > > > Of course there is - the same device that's providing the NAT. > > > > NAT by itself is intrinsically policy-free, although it implements > > policy as a side-effect. I'm unclear on why you think that a > > default-deny policy is better implemented on a NAT than on a > > firewall. > > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www1.ietf.org/mailman/listinfo/ietf -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf