On 2/17/24 10:26 AM, Owen DeLong via NANOG wrote:
On Feb 16, 2024, at 14:20, Jay R. Ashworth <[email protected]> wrote:
----- Original Message -----
From: "Justin Streiner" <[email protected]>
4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.
NAT doesn't "equal" security.
But it is certainly a *component* of security, placing control of what internal
nodes are accessible from the outside in the hands of the people inside.
Uh, no… no it is not. Stateful inspection (which the kind of NAT (actually
NAPT) you are assuming here depends on) is a component of security. You can do
stateful inspection without mutilating the header and have all the same
security benefits without losing or complicating the audit trail.
Exactly. As I said elsewhere, the security properties of NAT were a
post-hoc rationalization. In the mean time, it has taken on its own life
as if not NAT'ing (but still having stateful firewalls) would end the
known security universe. We can seriously lose NAT for v6 and not lose
anything of worth.
Mike
