[arin-ppml] Set aside round deux

Roger Marquis marquis at roble.com
Thu Aug 5 00:05:37 EDT 2010

>> "many common consumer applications", such as?
> Almost any of the P2P apps requiring an outside host to initiate a
> connection. Again, port forwarding or DMZ hosting will resolve that but it
> is a lot more time (read money) to walk a casual consumer through
> accomplishing that than it would be to adjust an SPI firewall.

If the consumer had spent just a few extra dollars for better equipment
they may not have had to get tech support in the first place.  I've used
Forstwire through Cisco and Juniper firewalls without such
application-specific mods.  Are you saying the cost of cheap CPE, plus
support, plus reduced security is less than the cost of more capable
gear?  My take would be that would only be true only as long as the cheap
CPE with inbound holes doesn't lead to an intrusion.

> And this is different from getting the 'security officer' to create a PAT
> rule for NAT how, aside from taking much less time to accomplish?

Granted it is different but then you're talking about opening a firewall
to inbound connections without stateful inspection, or at best with minimal
inspection (without deep packet inspection).  Wouldn't you agree?

> As has been said multiple times here, any security benefits from NAT come
> from the SPI firewall that is required to implement NAT, not from the NAT
> itself.

Well, yes and no.  The security benefits of NAT do come from SPI to a
degree, as you've indicated, but they also insure that degree of security
in a way that other methods of filtering inbound connects have not done
to date.

Be that as it may I think the best policy, even for cheap CPE, is not to
deny consumers a choice of NAT and non-NAT devices, especially when
giving them NAT makes IPv6 feasible.

Roger Marquis

More information about the ARIN-PPML mailing list