Why does everyone believe NAT (NAPT really) is security by obscurity? For the port translation portion it makes it harder, 64k harder, to find the open ports (ok really less then 32k harder due to the birthday paradox but still).
SRC based NAT meets the intent of bcp38 by preventing src based ip address spoofing. We (collectively) have millions of broadband customers that can't do src based IP address spoofing due to NAT. (coffee != sleep) & (!coffee == sleep) [email protected] From: OPSEC [[email protected]] on behalf of George, Wes [[email protected]] Sent: Monday, March 31, 2014 5:34 AM To: Qiong; [email protected] Subject: Re: [OPSEC] comments for firewall draft From: Qiong <[email protected]> Just a quick question: I think NAT is a quite common function in firewall, is there some reason that it should not be included in IPv6 firewall ? WG] Because NAT should not be used unless necessary. NAT is often confused with security (i.e. security by obscurity), but we’re really trying to break that conflation in IPv6 since it is also not necessary for address preservation and really shouldn’t be used for even 1:1 address translation since it is possible to add multiple addresses for hosts, so that they can have addresses for both internal and external scope, rather than the existing private/public NAT that happens in many networks today on IPv4. So if anything, the document probably needs words to that effect so that it’s explicitly clear that this is a non requirement. Wes George Anything below this line has been added by my company’s mail server, I have no control over it. ----------- This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
