On 3/31/14, 11:56 AM, "Smith, Donald" <[email protected]> wrote:
>Why does everyone believe NAT (NAPT really) is security by obscurity? >For the port translation portion it makes it harder, 64k harder, to find >the open ports (ok really less then 32k harder due to the birthday >paradox but still). WG] IMO “harder to attack because harder to find” is pretty much the definition of security by obscurity. That’s not to say that security by obscurity adds no value, but I don’t believe that it’s of such high value that it can’t be replaced with other things. In other words, it’s not an immutable requirement for proper security. >SRC based NAT meets the intent of bcp38 by preventing src based ip >address spoofing. We (collectively) have millions of broadband customers >that can't do src based IP address spoofing due to NAT. WG] That certainly makes sense, but if that were consistently true, there’d be no reason to implement uRPF on DSLAMs or CMTSs, and we likely wouldn’t have the problem we have today with spoofed traffic coming from all over, given the prevalence of NATs in residential and enterprise networks. I have trouble explaining the existence of the amount of spoofed traffic that we seem to be fighting with today as originating solely from devices that are directly connected without any NAT in front of them. I think the reality is that there are plenty of NAT boxes that will happily pass all sorts of junk upstream, and MAYBE if they’re smart they’ll only try to NAT stuff sourced from their internal LAN and simply pass the other stuff unmolested. My point is that justifying (or worse, REQUIRING) NAT in a firewall because it gives you BCP38 or security by obscurity is solving for the wrong thing and conflating the primary purpose of NAT (address sharing/rewriting) with some of the arguably helpful side effects of using it. Preventing spoofed traffic, and providing proper security is a good goal. There are other ways to get there besides NAT. Wes George Anything below this line has been added by my company’s mail server, I have no control over it. ----------- This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
