[TriLUG] Adding to the list of topics: IPv6

Mike Johnson mike at enoch.org
Thu Jan 22 11:21:21 EST 2004


Ryan Leathers [ryan.leathers at globalknowledge.com] wrote:
> NAT is a neat trick and has filled a certain need, BUT...

NAT is a tool.
 
> Some of you humming the "Give NAT a Chance" melody might do well to
> consider the EVILS of NAT.  

I understand how NAT works.  I understand its limitations.
 
> First - the pet peeve point
> If I see one more reader of this list tout the fools claim that NAT
> affords a valuable level of security I'll pull my few remaining hairs
> out.  Methods for NAT subversion were well understood even before NAT
> was popularized, yet even technical professionals beat their drums of
> false security to this day.  

I don't think I ever claimed NAT should be relied upon as a security
device.  What I -will- claim is that it is valuble to hide network
topology from outsiders.  Sure, there are methods that work against
-some- NAT devices that will allow an outsider to count hosts, based on
traffic sent to that outside host.  However, not all NAT devices will
allow this, and it's merely a count.  The topology is hidden.  Now that
I think about it, I think there are ways to get a count of systems even
if they do not connect to the outside host (but are using the gateway).
BUT, the counted hosts -have- to pass through the NAT device to the
outside world.  And, again, it hides topology.  You have no idea how
many segments are -behind- that NAT device.  I have four behind mine.
You'd have a tough time figuring that out.  You also have no idea how
many hosts are on each of those.
 
> Second - the timely example point
> Lots of talk about VoIP lately - - - NAT is public enemy number one for
> many a VoIP connection.  Better firewalls / gateways handle the needed
> translations when NAT is in play, but cheapo consumer grade NAT boxes
> can kill VoIP faster than a Baby Bell can think up a new fee.

I dunno, Vonage devices seem to be working just fine behind Linksys
boxes.  And, you're pointing out a failure of crappy NAT boxes, not of
NAT itself.  The technology is sound, the implementation is
questionable.
 
> Summary - NAT is the spawn of some unseen dark power conspiring with
> evil consumer-grade hardware vendors to shackle you with exploitable
> false security and deny you the goodness of VoIP.  Was that over the
> top?  

It was over the top, because it was wrong.  You're making blanket
statements that do not apply to every NAT device.
 
> IPV6... a better network... a better life.  

Understand that I have no problems with IPv6.  In and of itself, it's
fine.  It's the migration that is the problem.  Let me repeat that.  The
migration to IPv6 is the problem, not IPv6 itself.  This is an arduous
task that needs a killer app to get me off my ass and do something.
Until then, I'm going to continue to be blind to the reasons for
migrating to IPv6.

Mike
-- 
"If life hands you lemons, YOU BLOW THOSE LEMONS TO BITS WITH 
 YOUR LASER CANNONS!" -- Brak

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20040122/ec4eca4a/attachment.pgp>


More information about the TriLUG mailing list