Ryan Leathers [EMAIL PROTECTED] wrote: > NAT is a neat trick and has filled a certain need, BUT...
NAT is a tool. > Some of you humming the "Give NAT a Chance" melody might do well to > consider the EVILS of NAT. I understand how NAT works. I understand its limitations. > First - the pet peeve point > If I see one more reader of this list tout the fools claim that NAT > affords a valuable level of security I'll pull my few remaining hairs > out. Methods for NAT subversion were well understood even before NAT > was popularized, yet even technical professionals beat their drums of > false security to this day. I don't think I ever claimed NAT should be relied upon as a security device. What I -will- claim is that it is valuble to hide network topology from outsiders. Sure, there are methods that work against -some- NAT devices that will allow an outsider to count hosts, based on traffic sent to that outside host. However, not all NAT devices will allow this, and it's merely a count. The topology is hidden. Now that I think about it, I think there are ways to get a count of systems even if they do not connect to the outside host (but are using the gateway). BUT, the counted hosts -have- to pass through the NAT device to the outside world. And, again, it hides topology. You have no idea how many segments are -behind- that NAT device. I have four behind mine. You'd have a tough time figuring that out. You also have no idea how many hosts are on each of those. > Second - the timely example point > Lots of talk about VoIP lately - - - NAT is public enemy number one for > many a VoIP connection. Better firewalls / gateways handle the needed > translations when NAT is in play, but cheapo consumer grade NAT boxes > can kill VoIP faster than a Baby Bell can think up a new fee. I dunno, Vonage devices seem to be working just fine behind Linksys boxes. And, you're pointing out a failure of crappy NAT boxes, not of NAT itself. The technology is sound, the implementation is questionable. > Summary - NAT is the spawn of some unseen dark power conspiring with > evil consumer-grade hardware vendors to shackle you with exploitable > false security and deny you the goodness of VoIP. Was that over the > top? It was over the top, because it was wrong. You're making blanket statements that do not apply to every NAT device. > IPV6... a better network... a better life. Understand that I have no problems with IPv6. In and of itself, it's fine. It's the migration that is the problem. Let me repeat that. The migration to IPv6 is the problem, not IPv6 itself. This is an arduous task that needs a killer app to get me off my ass and do something. Until then, I'm going to continue to be blind to the reasons for migrating to IPv6. Mike -- "If life hands you lemons, YOU BLOW THOSE LEMONS TO BITS WITH YOUR LASER CANNONS!" -- Brak GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1 GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
pgp00000.pgp
Description: PGP signature
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
