nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Arguing against using public IP space

From: Phil Regnauld <regnauld () nsrc org>
Date: Sun, 13 Nov 2011 23:46:31 +0100
Doug Barton (dougb) writes:

On 11/13/2011 13:27, Phil Regnauld wrote:

    That's not exactly correct. NAT doesn't imply firewalling/filtering.
    To illustrate this to customers, I've mounted attacks/scans on
    hosts behind NAT devices, from the interconnect network immediately
    outside: if you can point a route with the ext ip of the NAT device
    as the next hop, it usually just forwards the packets...


Have you written this up anywhere? It would be absolutely awesome to be
able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual
demonstration of why it isn't.


        Nope, but I could do a quick tut on how to do this against a natd/pf/
        iptables or IOS with IP overload.

        Arguably in *most* cases your CPE or whatever is NATing is behind
        some upstream device doing ingress filtering, so you still need to
        be compromising a device fairly close to the target network.

        P.
Previous By Date Next
Previous By Thread Next

Current thread: