On 06/25/2014 01:06 PM, Masataka Ohta wrote:
Given that address translation needs things like
CGN, STUN, uPnP and portforwarding to get the most basic of things
working,
Wrong.
While uPnP involves end systems a little, they hide address
translation from the end systems, which is why they destroy
the end to end transparency (with uPnP, there can be the end
to end transparency for applications over TCP or UDP).
and upnp has been a security nightmare. It may hide your internal
addresses but who cares about that if it creates an attack surface that
can open up your entire network?
Other NAT-workarounds include (sometimes unpredictable) third parties
that should be unnecessary (stun, skype, and probably any number of
game-related solutions). Or force people on a fixed internal address
while they could be switching it around (portforwarding).
I think the whole picture gives you less privacy and security
than a completely untranslated end-to-end world does.
The amount of privacy is same. It is merely that ISPs must have
more log, as long as they assign address/port dynamically on
demand.
But, if ISPs assign one of their customer an address and a range
of port numbers, the amount of log is same.
That is, assigning a customer 192.0.2.1 is not very different
from assigning the customer port 1024 to 1279 of 192.0.2.1.
yeah, from an ISP point of view it's the same.
Jelte