At 01:34 AM 6/19/2003, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
On Thu, 19 Jun 2003 00:55:49 EDT, S Woodside said:
> On Wednesday, June 18, 2003, at 06:28 PM, Tomson Eric ((Yahoo.fr))
> wrote:
>
> > Now, the fact that masking the internal addresses to the external
> > world - so that internal hosts can initiate traffic to the outside,
> > but no
> > external host can initiate traffic to the inside - brings some basic
> > security, is an interesting corollary, but not the primary objective
> > of a
> > NAT.
>
> Is this just security through obscurity, or something better?
Security through obscurity. See Bellovin's paper on enumerating through a
NAT.
Maybe YOU should read it, and explain how this is useful for attacking the
hosts behind a NAPT box. The technique described in this paper uses
variations in the IPid field as evidence of more than one host generating
packets. Fine. So you plunk a box just upstream of the NAT box, and now you
can determine how many ACTIVE hosts are talking to sites outside the NAPT box.
Since NAPT uses stateful inspection to operate, it only permits packets in
to the private network in response to outbound packets. Sitting directly
upstream of the NAPT box, you could try spoofing reply packets. This would
work equally well for any stateful-inspection firewall.
So what is really at risk, described in Steve's paper? It is possible to
determine if NAPT is in use, if the NAPT implementation is insufficiently
careful in its handling of the IPid field (and likely most do allow
analysis of this sort). In essence, Steve's paper provides useful
information for improving NAPT implementations if anyone is worried about
having upstreams learn of the presence of a NAPT box.
I reject your contention of NAPT as "security through obscurity."