nanog mailing list archives
Re: Failure modes: NAT vs SPI
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Thu, 3 Feb 2011 20:47:48 +0100
On 3 feb 2011, at 20:09, Jay Ashworth wrote:
That's the expansion of "fails safe".
You conviently overlook my earlier message about this. But sure, let's assume that at some point, some packets from the outside manage to pass through to the inside in the IPv6 case. So how does anyone know where to send these packets in the first place? And if they do, what bad effects exactly do packets coming from the outside have? Ping of death has been fixed a loooong time ago. And you assume that NATs block packets very well. They don't. First of all, there's uPNP IGD and NAT-PMP. Depending on the type of NAT, the bindings are quite loose and allow lots of additional packets that don't belong to the NATed sessions in. After all, NATs only break incoming sessions by accident. Firewalls do this on purpose, so they do a much better job. If you really want to be safe, you should completely disconnect your network. Or at the very least not run any code, such as javascript and java, that comes in over the network. This is one of the biggest sources of real-world infections. Incoming packets haven't been since about the slammer worm era.
Current thread:
- Re: quietly...., (continued)
- Re: quietly.... Jack Bates (Feb 05)
- RE: quietly.... Lee Howard (Feb 06)
- Re: quietly.... isabel dias (Feb 06)
- Re: quietly.... Owen DeLong (Feb 06)
- Re: quietly.... Valdis . Kletnieks (Feb 04)
- Re: quietly.... Blake Dunlap (Feb 04)
- Re: quietly.... Jay Ashworth (Feb 04)
- Re: quietly.... Jack Bates (Feb 03)
- Re: quietly.... david raistrick (Feb 03)
- Failure modes: NAT vs SPI Jay Ashworth (Feb 03)
- Re: Failure modes: NAT vs SPI Iljitsch van Beijnum (Feb 03)
- Message not available
- Re: Failure modes: NAT vs SPI Iljitsch van Beijnum (Feb 07)
- Re: Failure modes: NAT vs SPI Owen DeLong (Feb 07)
- Re: Failure modes: NAT vs SPI Lamar Owen (Feb 10)
- Re: Failure modes: NAT vs SPI Owen DeLong (Feb 10)
- Re: Failure modes: NAT vs SPI Joel Jaeggli (Feb 10)
- Re: Failure modes: NAT vs SPI Jay Ashworth (Feb 07)
- Re: Failure modes: NAT vs SPI Valdis . Kletnieks (Feb 07)
- Re: Failure modes: NAT vs SPI Jack Bates (Feb 07)
- Re: Failure modes: NAT vs SPI Iljitsch van Beijnum (Feb 07)
- Re: quietly.... Iljitsch van Beijnum (Feb 03)