[GTALUG] NAT [was Re: Linux hardening question]
James Knott
james.knott at rogers.com
Sun Jul 2 09:21:59 EDT 2017
On 07/02/2017 09:08 AM, Russell via talk wrote:
> I came across this memo of general interest to this topic. Section 4 in particular.
>
> https://tools.ietf.org/rfc/rfc4864.txt
>
> 4. Using IPv6 Technology to Provide the Market Perceived Benefits of NAT
>
> The facilities in IPv6 described in Section 3 can be used to provide the protection perceived to be associated with IPv4 NAT. This section gives some examples of how IPv6 can be used securely.
Yep. While I haven't read that RFC, I knew that a long time ago. The
sole reason NAT provides protection is the stateful nature of it.
That's set up when an outgoing connection is made, allowing the reverse
traffic. Beyond that, you have to have some means of specifically
allowing incoming traffic. This is no different from a firewall that
has default deny all and rules added to permit access. Of course, not
using NAT means you can access the same service on multiple devices,
without changing port numbers etc.. On top of this, NAT requires hacks,
such as VTUN, to get around the problems it causes. This is even before
we get to those who are behind carrier grade NAT and have no means of
reaching their own network from the outside.
More information about the talk
mailing list