Re: NAT->IPv6

From: Greg Hudson <ghudson(_at_)MIT(_dot_)EDU>

But anybody clear understand that if your internal hosts do not have
a public address then all attacks may be only static - wait until
internal host open TCP to somewhere.


This is a naive understanding.  Source-routing would let me get
packets through to an internal address unless your NAT also acts as a
firewall.

   Let's try. Today most of hosts have "IP-forwarding" switch off.
Because security reason.

(Granted, I think it turns out that pretty much all NATs do this kind
of firewalling in all cases.  But there's no reason why a firewall
allowing only outgoing connections should be any more error-prone than
a NAT gateway.)


   Greg, how you determine outgoing RTP connection like VoIP, for exam ?
UDP often has not clear "open" packet and difficult to control in classic
firewall. Fortunately VoIP may have H.323 or SIP negotiation first
but do you sure about another protocols ?

                               - Leonid Yegoshin, LY22

<Prev in Thread]	Current Thread	[Next in Thread>
Re: NAT->IPv6, (continued) Re: NAT->IPv6, John Stracke Re: NAT->IPv6, Leonid Yegoshin Re: NAT->IPv6, Leonid Yegoshin Re: NAT->IPv6, Eliot Lear Re: NAT->IPv6, Steven M. Bellovin Re: NAT->IPv6, Leonid Yegoshin Re: NAT->IPv6, Greg Hudson Re: NAT->IPv6, Vernon Schryver Re: NAT->IPv6, Eliot Lear Re: NAT->IPv6, Vernon Schryver Re: NAT->IPv6, Leonid Yegoshin <=

Previous by Date:	Re: runumbering (was: Re: IPv6: Past mistakes repeated?), Masataka Ohta
Next by Date:	Re: runumbering (was: Re: IPv6: Past mistakes repeated?), Steven M. Bellovin
Previous by Thread:	Re: NAT->IPv6, Vernon Schryver
Next by Thread:	SCSI over IP, Jon William Toigo
Indexes:	[Date] [Thread] [Top] [All Lists]