[arin-ppml] Just a reminder of some quick mathematicsfor IPv4that shows the long term impossibility of it

[Owen DeLong]

On May 18, 2011, at 6:33 PM, George Herbert wrote:

> On Wed, May 18, 2011 at 5:11 PM, Owen DeLong <owen at delong.com> wrote:
>> [...]
>> 
>> What utility does NAT offer other than conserving addresses that cannot be
>> better accomplished by other technologies if you don't lack addresses?
>> 
>>        Security: Provably false. NAT does not improve security, stateful
>>                inspection provides security.
> 
> I've had this argument with Owen in person (and many others in
> person), but asymmetrical routability and NAT provide some benefits to
> security.  The statement "does not improve security" is provably
> false.
> 

Provably it is a NET security negative.

> Stateful inspection is MUCH BETTER - yes.  But even stateful
> inspection isn't perfect if there are application layer
> vulnerabilities that the stateful inspector is not aware of.  I
> remember the time before buffer overflow...
> 

And NAT doesn't protect you from those, either. It just provides a false
sense of security.

> At the very least, NAT and its ilk provide information limitations on
> potential attackers.  This is not absolute, but neither is any other
> aspect of security.
> 

I believe this fits someone's earlier "screen doors improve the security
of vault doors" comment.

> Security (and many other IT problems, generalizing) are statistical
> games of time-variable exposure potential and probability of exploit
> on known and unknown exposures.  Anything which limits the attack
> space is of utility.
> 

Which NAT does not.

> How is this relevant to ARIN and policy?  Policy should not be
> dictating technical solutions.  I'm all for IPv6.  I'm also all for
> NAT.    Policy that attempts to exclude viable solutions at the
> technical level is unwise.
> 

The point was that policy should not exclude non-NAT
solutions wherever possible.

Owen