ietf
[Top] [All Lists]

Re: NAT->IPv6

2000-04-26 14:40:01
From: "Eliot Lear" <lear(_at_)cisco(_dot_)com>

It's also completely naive that source routing is your only threat.  One
can break into a NAT.  One can forge packets and address them
appropriately.  Firewalls prevent this, not NATs.

That statement is just as naive, unless you qualify the word "firewalls,"
and I'm not talking about accidents.  For example, what is a "router
firewall" except a lame NAT box?  It includes typical NAT filtering
rules and has NAT rewriting consisting of the identity map.  A NAT box
is like many routers sold as firewalls, except that it does better
filtering in its default configuration than a router firewall, and has
more than just the identity map for rewriting addresses and payloads.

You can't even say that pure application-layer or host-based firewalls
are always more secure than NAT boxes, because many host systems used for
such firewalls are happy to forward IP packets (although IP forwarding is
less likely to be on by default today).


I'm objecting to superstition cloaked as engineering, including 

   - "NAT boxes provide security",

   - "firewalls provide security but NAT boxes don't",

and my hot button,

   - "IP source routes are security threats."


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com



<Prev in Thread] Current Thread [Next in Thread>