nanog mailing list archives
Re: IPv6 uptake (was: The Reg does 240/4)
From: Tom Beecher <beecher () beecher cc>
Date: Sat, 17 Feb 2024 09:16:23 -0500
Any given layer of security can be breached with expense and effort. Breaching every layer of security at the same time is more challenging than breaching any particular one of them. The use of NAT adds a layer of security to the system that is not otherwise there. Think of it like this: you have a guard, you have a fence and you have barbed wire on top of the fence. Can you secure the place without the barbed wire? Of course. Can an intruder defeat the barbed wire? Of course. Is it more secure -with- the barbed wire? Obviously.
Bill- In a security context, NAT/PAT only provides *obfuscation* of the internal numbering and source ports of the networks on the inside of the NAT/PAT device. "Security by obscurity" is a well debunked maxim by now. Any perceived benefits that obscurity provides are gone as soon as the information attempting to be hidden can be discovered, or the methods by which it functions are known. It may slightly deter the lazy, but techniques to discover the otherwise 'hidden' numbering and port usage have existed for decades. On Fri, Feb 16, 2024 at 10:28 PM William Herrin <bill () herrin us> wrote:
On Fri, Feb 16, 2024 at 7:10 PM John Levine <johnl () iecc com> wrote:If you configure your firewall wrong, bad things will happen. I havebothIPv6 and NAT IPv4 on my network here and I haven't found it particularly hard to get the config correct for IPv6.Hi John, That it's possible to implement network security well without using NAT does not contradict the claim that NAT enhances network security. That it's possible to breach the layer of security added by NAT does not contradict the claim that NAT enhances network security. Any given layer of security can be breached with expense and effort. Breaching every layer of security at the same time is more challenging than breaching any particular one of them. The use of NAT adds a layer of security to the system that is not otherwise there. Think of it like this: you have a guard, you have a fence and you have barbed wire on top of the fence. Can you secure the place without the barbed wire? Of course. Can an intruder defeat the barbed wire? Of course. Is it more secure -with- the barbed wire? Obviously. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: IPv6 uptake (was: The Reg does 240/4), (continued)
- Re: IPv6 uptake (was: The Reg does 240/4) John Levine (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) John R. Levine (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Ryan Hamel (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Justin Streiner (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Steven Sommars (Feb 18)
- Re: IPv6 uptake Stephen Satchell (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Tom Beecher (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) Jay R. Ashworth (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Matthew Walster via NANOG (Feb 18)
- Re: IPv6 uptake (was: The Reg does 240/4) Daniel Marks via NANOG (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake Michael Thomas (Feb 17)