On Thursday 13 November 2008 21:30:39 ext Darrel Lewis (darlewis), you wrote:> DL> Port/Overload NAT for IPv4 (NAT:P) has security benefits in> that it requires explicit configuration to allow for inbound unsolicited> transport connections (via port forwarding) to 'inside' hosts. This> mimics many of the default policies on most firewalls, hence the> confusion. Note that can also cause security issues elsewhere in the> network. The loss of information of the identity of the source host can> cause address filtering in the network to effect other devices than just> the one intended. That's not _quite_ true. The truth is that many boxes that are NATs also are firewalls. A full cone NAT, with UPnP IGD (or NAT-PMP) is barely providing any security protection to the host. And many NATs have the so-called "DMZ" function whereby they'll forward all incoming traffic to a specified internal host. Besides, if you don't have a public IP address, you are not addressable from the Internet. Whether you have a NAT, a set of proxies or no connection, is irrelevant - the lack of addressability is your "protection", not the NAT. If you have public space internally, you can also NATs outbound, and not inbound. Then you NAT provides obviously no protection at all. A firewall would. > DL> I'm wondering if this is written down somewhere, because> both of the above points seem to be argued over and over again, without> people being genererally educated about them. We have the IPv6 security RFC. We have the IPv6 simple CPE security and the NAT security I-Ds. > DL> I would argue that stateless filtering (e.g. access control> lists) are even more common than firewalls and are the single most> widely used network security control. But the main point is that> firewalls ( statefull (flow based) filtering that usually have default> policies), are orthogonal to address translation. They just happen to> occur at the same point in the topology in many networks. Yes. And that's the whole point: the firewall function is providing some kind of protection. Not the NAT function. -- Rémi Denis-CourmontMaemo Software, Nokia Devices R&D_______________________________________________Ietf mailing listIetf@xxxxxxxxxxxxx://www.ietf.org/mailman/listinfo/ietf