nanog mailing list archives
Re: Arguing against using public IP space
From: Phil Regnauld <regnauld () nsrc org>
Date: Sun, 13 Nov 2011 23:46:31 +0100
Doug Barton (dougb) writes:
On 11/13/2011 13:27, Phil Regnauld wrote:That's not exactly correct. NAT doesn't imply firewalling/filtering. To illustrate this to customers, I've mounted attacks/scans on hosts behind NAT devices, from the interconnect network immediately outside: if you can point a route with the ext ip of the NAT device as the next hop, it usually just forwards the packets...Have you written this up anywhere? It would be absolutely awesome to be able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual demonstration of why it isn't.
Nope, but I could do a quick tut on how to do this against a natd/pf/ iptables or IOS with IP overload. Arguably in *most* cases your CPE or whatever is NATing is behind some upstream device doing ingress filtering, so you still need to be compromising a device fairly close to the target network. P.
Current thread:
- Re: Arguing against using public IP space, (continued)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Mark Andrews (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space -Hammer- (Nov 16)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space Ray Soucy (Nov 16)
- Re: Arguing against using public IP space -Hammer- (Nov 16)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Ray Soucy (Nov 15)
- Re: Arguing against using public IP space Phil Regnauld (Nov 13)
- Re: Arguing against using public IP space Jay Ashworth (Nov 13)
- Re: Arguing against using public IP space Jeff Kell (Nov 13)
- Re: Arguing against using public IP space Cameron Byrne (Nov 13)
- Re: Arguing against using public IP space Robert Bonomi (Nov 13)
- Re: Arguing against using public IP space Jay Ashworth (Nov 13)
- Re: Arguing against using public IP space Jeroen van Aart (Nov 14)
- Re: Arguing against using public IP space William Herrin (Nov 15)
- Re: Arguing against using public IP space Michael Sinatra (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Have they stopped teaching Defense in Depth? Jay Ashworth (Nov 15)