[arin-ppml] Just a reminder of some quick mathematicsfor IPv4that shows the long term impossibility of it
owen at delong.com
Thu May 19 01:12:54 EDT 2011
On May 18, 2011, at 6:33 PM, George Herbert wrote:
> On Wed, May 18, 2011 at 5:11 PM, Owen DeLong <owen at delong.com> wrote:
>> What utility does NAT offer other than conserving addresses that cannot be
>> better accomplished by other technologies if you don't lack addresses?
>> Security: Provably false. NAT does not improve security, stateful
>> inspection provides security.
> I've had this argument with Owen in person (and many others in
> person), but asymmetrical routability and NAT provide some benefits to
> security. The statement "does not improve security" is provably
Provably it is a NET security negative.
> Stateful inspection is MUCH BETTER - yes. But even stateful
> inspection isn't perfect if there are application layer
> vulnerabilities that the stateful inspector is not aware of. I
> remember the time before buffer overflow...
And NAT doesn't protect you from those, either. It just provides a false
sense of security.
> At the very least, NAT and its ilk provide information limitations on
> potential attackers. This is not absolute, but neither is any other
> aspect of security.
I believe this fits someone's earlier "screen doors improve the security
of vault doors" comment.
> Security (and many other IT problems, generalizing) are statistical
> games of time-variable exposure potential and probability of exploit
> on known and unknown exposures. Anything which limits the attack
> space is of utility.
Which NAT does not.
> How is this relevant to ARIN and policy? Policy should not be
> dictating technical solutions. I'm all for IPv6. I'm also all for
> NAT. Policy that attempts to exclude viable solutions at the
> technical level is unwise.
The point was that policy should not exclude non-NAT
solutions wherever possible.
More information about the ARIN-PPML