[arin-ppml] Just a reminder of some quick mathematicsfor IPv4that shows the long term impossibility of it
George Herbert
george.herbert at gmail.com
Wed May 18 21:33:02 EDT 2011
On Wed, May 18, 2011 at 5:11 PM, Owen DeLong <owen at delong.com> wrote:
>[...]
>
> What utility does NAT offer other than conserving addresses that cannot be
> better accomplished by other technologies if you don't lack addresses?
>
> Security: Provably false. NAT does not improve security, stateful
> inspection provides security.
I've had this argument with Owen in person (and many others in
person), but asymmetrical routability and NAT provide some benefits to
security. The statement "does not improve security" is provably
false.
Stateful inspection is MUCH BETTER - yes. But even stateful
inspection isn't perfect if there are application layer
vulnerabilities that the stateful inspector is not aware of. I
remember the time before buffer overflow...
At the very least, NAT and its ilk provide information limitations on
potential attackers. This is not absolute, but neither is any other
aspect of security.
Security (and many other IT problems, generalizing) are statistical
games of time-variable exposure potential and probability of exploit
on known and unknown exposures. Anything which limits the attack
space is of utility.
How is this relevant to ARIN and policy? Policy should not be
dictating technical solutions. I'm all for IPv6. I'm also all for
NAT. Policy that attempts to exclude viable solutions at the
technical level is unwise.
--
-george william herbert
george.herbert at gmail.com
More information about the ARIN-PPML
mailing list