Re: Redploying most of 127/8 as unicast public

[Måns Nilsson <mansaxel () besserwisser org>]

Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 10:47:10PM -0500 Quoting Joe Maimon 
(jmaimon () jmaimon com):

> layer in front of these classes of devices or that they will be
> deployed|developed with sufficient/equivalent security without that layer is
> not nearly as re-assuring.

The inside/outside paradigm inherent in the reasoning of "NAT is a good,
big part of my firewall" crowd is woefully inadequate to describe and
counter the threats of today. The techniques to get past uni-reachability
(The NATted client can ask the net, but not in reverse) are many and
advanced. Since there is a somewhat inflated belief of the efficiency
of the unroutability paradigm, once inside, the rules tend to be relaxed.

It might very well be so that the resultant protection level will be better
once you realise you can't trust the net to not deliver packets to you. 

Also, I much prefer writing firewall rules where the IP addresses don't
change in-flight. Less to screw up. 
-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE           SA0XLR            +46 705 989668
Of course, you UNDERSTAND about the PLAIDS in the SPIN CYCLE --

Attachment: signature.asc
Description: