Hi, Wes, On 03/31/2014 04:16 PM, George, Wes wrote: > >> Why does everyone believe NAT (NAPT really) is security by obscurity? >> For the port translation portion it makes it harder, 64k harder, to find >> the open ports (ok really less then 32k harder due to the birthday >> paradox but still). > WG] IMO “harder to attack because harder to find” is pretty much the > definition of security by obscurity. That’s not to say that security by > obscurity adds no value, but I don’t believe that it’s of such high value > that it can’t be replaced with other things.
I think that each "mitigation" has it's place. Most of them are complementary. > My point is that justifying (or worse, REQUIRING) NAT in a firewall > because it gives you BCP38 or security by obscurity is solving for the > wrong thing and conflating the primary purpose of NAT (address > sharing/rewriting) with some of the arguably helpful side effects of using > it. Preventing spoofed traffic, and providing proper security is a good > goal. There are other ways to get there besides NAT. FWIW, I agree with the above. That said, we're specifying requirements as "required" and "optional", too. So one might least this feature as optional, without that meaning that supporting some sort of ipv6 nat functionality is really required. Against, I'm not yet arguing in favor or against some sort of IPv6 NAT, but rather trying to foster discussion of this topic. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
