[arin-ppml] Just a reminder of some quick mathematicsfor IPv4that shows the long term impossibility of it

George Herbert george.herbert at gmail.com
Wed May 18 21:33:02 EDT 2011

On Wed, May 18, 2011 at 5:11 PM, Owen DeLong <owen at delong.com> wrote:
> What utility does NAT offer other than conserving addresses that cannot be
> better accomplished by other technologies if you don't lack addresses?
>        Security: Provably false. NAT does not improve security, stateful
>                inspection provides security.

I've had this argument with Owen in person (and many others in
person), but asymmetrical routability and NAT provide some benefits to
security.  The statement "does not improve security" is provably

Stateful inspection is MUCH BETTER - yes.  But even stateful
inspection isn't perfect if there are application layer
vulnerabilities that the stateful inspector is not aware of.  I
remember the time before buffer overflow...

At the very least, NAT and its ilk provide information limitations on
potential attackers.  This is not absolute, but neither is any other
aspect of security.

Security (and many other IT problems, generalizing) are statistical
games of time-variable exposure potential and probability of exploit
on known and unknown exposures.  Anything which limits the attack
space is of utility.

How is this relevant to ARIN and policy?  Policy should not be
dictating technical solutions.  I'm all for IPv6.  I'm also all for
NAT.    Policy that attempts to exclude viable solutions at the
technical level is unwise.

-george william herbert
george.herbert at gmail.com

More information about the ARIN-PPML mailing list