NAT, if my memory serves me right, is not a security mechanism - that is a by-product of it's main goal of preventing the exhaustion of the v4 address space. IMHO (and flame me for this off-list if you want) NAT should not be used as protection - that is something Windows/Microsoft jumped on because the services on the OS were vulnerable, ie it introduced security without the dev's doing much more work. IPv6 is going to give us true global end-to-end and you guys are talking about not using that?? sorry I had a few beers today. Nathan Ward wrote:
On 17/02/2007, at 3:23 PM, Alastair Johnson wrote:
Jonny Martin wrote:
At the risk of taking this thread somewhere it shouldn't - do we even care about end to end connectivity anymore?
For the majority of people? No. End-to-End has been gone for a long time, as you correctly point out.
I wonder how many large ISPs are currently looking at NATing their dialup pools. Given that most people still using dialup these days don't actually need end-to-end connectivity, and it's low-bandwidth/low-connection volume (and reasonably easy to implement on the NAS, rather than needing giant NAT boxes), it's a quick win to reclaim some address space if you're really hurting.
Indeed. It's also likely that many of those customers are running older machines, and are more susceptible to attacks of some flavor directed at their network interfaces. If they are behind a NAT, these customers are more likely to be protected.
Those who need to run mail servers or something are on static IP addresses anyway. Those who want to run non-NAT-friendly applications can pay an extra $5/mo (or nothing, maybe) for the "full" service, and get a public IP when they dial in.
<tongue in cheek> Then, (if you choose to charge it) use that $5/mo to fun IPv6 deployment. If that doesn't give you enough $, the bulk of your customers clearly don't need end-to-end IP that much, so go home, and have a beer.
-- Nathan Ward
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Stuart MacIntosh IT Consultancy & Technical Services Phone: +64 21 2259576 Email: stuart(a)linuxsecurity.co.nz