[ppml] those pesky users...
Owen DeLong
owen at delong.com
Tue Mar 27 16:28:28 EDT 2007
On Mar 27, 2007, at 1:05 PM, George Kuzmowycz wrote:
>
>
>>>> "Ted Mittelstaedt" <tedm at ipinc.net> 03/27/2007 3:30:58 PM >>>
>
>> The biggest thing that encourages NAT from a corporate point of view
> is
>
> I won't get into "biggest" or "next biggest", but certainly a major
> factor in encouraging NAT in the corporate world is a generation of
> CIO's raised in the belief that NAT is a major component of an
> effective
> security policy. If the IP stack on the PC of Joe in Accounting has a
> 1918 address, then that evil packet from Romania won't get there. The
> absence of "end-to-end" in this view is not a design flaw, it is a
> desirable feature. For these purposes v4 vs v6 is irrelevant; they
> don't
> want a globally-routable address of either flavor on the vast majority
> of their machines.
>
You are, unfortunately, correct about the CIO/other management and even
some IT professionals misconception of the role of NAT in this process.
The reality is that what they care about is stateful inspection, and,
you
can't have overloaded NAT without stateful inspection, so, most people
don't truly understand the distinction. The reality is that NAT can be
implemented without stateful inspection (as long as it isn't overloaded,
or, even if overloaded, you at least have some control over which
services are reachable), just as easily as stateful inspection can be
implemented without NAT. So, NAT provides NO security benefit
directly, and, is not required for stateful inspection which actually
does provide the security benefit.
The global uniqueness or not of the address on a particular host
is actually irrelevant to security, but, there is an unfortunately large
body of religion who does not understand or accept this basic
fact.
Hopefully, they will eventually discover that Galileo was right and
the world is round.
Owen
More information about the ARIN-PPML
mailing list