North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: IPv6 NAT

  • From: Tony Hain
  • Date: Fri Oct 31 20:25:51 2003

Scott McGrath wrote:
> Agreed NAT's do not create security although many customers believe they
> do.  NAT's _are_ extremely useful in hiding network topologies from casual
> inspection.

This is another bogus argument, and clearly you have not done the math on
how long it takes to scan a /64 worth of subnet space. Start by assuming a
/16 per second (which is well beyond what I have found as current
technology) and see how long 2^48 seconds is.

>
> What I usually recommend to those who need NAT is a stateful firewall in
> front of the NAT.  The rationale being the NAT hides the topology and the
> stateful firewall provides the security boundary.

Obscuring the topology provides absolutely no security either. You are not
alone, as it is frequently a recommended practice, but obscurity != security
no matter how much it is sold as such.

Tony