RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)

["Tony Hain" <alh-ietf () tndh net>]

Jim Shankland wrote:
> Owen DeLong <owen () delong com> writes:
> > There's no security gain from not having real IPs on machines.
> > Any belief that there is results from a lack of understanding.
>
> This is one of those assertions that gets repeated so often people
> are liable to start believing it's true :-).
>
> *No* security gain?  No protection against port scans from Bucharest?
> No protection for a machine that is used in practice only on the
> local, office LAN?  Or to access a single, corporate Web site?
>
> Shall I do the experiment again where I set up a Linux box
> at an RFC1918 address, behind a NAT device, publish the root
> password of the Linux box and its RFC1918 address, and invite
> all comers to prove me wrong by showing evidence that they've
> successfully logged into the Linux box?  When I last did this,
> I got a handful of emails, some quite snide, suggesting I was
> some combination of ignorant, stupid, and reckless; the Linux
> box for some reason remained unmolested.
>
> Jim Shankland

Mangling the header did nothing for 'security'. The lack of state at the
network edge is the security tool here. A firewall provides that state
function without the side effect of header mangling. 

If you really believe in your 1918/nat providing security, do the experiment
you propose above, but put in a state mapping for the public address of the
nat to the 1918 address of your Linux box. 

Tony