Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 2 Jun 1998 10:55:25 +0200
From:      Philippe Regnauld <regnauld@deepo.prosa.dk>
To:        Chrisy Luke <chrisy@flix.net>
Cc:        Paul Emerson <paul@gta.com>, freebsd-net@FreeBSD.ORG
Subject:   Re: ipv6 network addresses
Message-ID:  <19980602105525.36962@deepo.prosa.dk>
In-Reply-To: <19980602092305.52419@flix.net>; from Chrisy Luke on Tue, Jun 02, 1998 at 09:23:05AM %2B0100
References:  <199806012000.QAA14487@gta.gta.com> <19980602092305.52419@flix.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Chrisy Luke writes:
> Paul Emerson wrote (on Jun 01):
> > Repeat after me: All NAT solutions are not created equal.
> 
> I don't see why "Making everyone come from the same address" is so
> desirable. In itself it has no security built in, certainly none that
> can't better be provided and tracked by a firewall.

	Good NAT solutions use a pool of addresses (i.e.: Cisco),
	where hosts seem to come from different addresses each time).
	This also allow for semi-permanent "two-way" setups, allowing
	for example ftp back-connect and other horrible things transparently.

	Using the same address for everything is in fact not recommended
	as it increases visibility for your nat box, and the chance
	of getting same port numbers decreases.  Cisco calls this
	technique "overloading".

> Good network numbering can do effectively the same job significantly
> better and without overhead.

	It depends how big a fish you are.  If you get your block of
	addresses from your provider, like I do, and interconnect
	the networks of some 8 different organization, then you don't
	want to have to renumber if you leave.  And there's a fat chance
	you'll get router with less than /22, provided you had your own
	block in the first place.

	NAT is the poor man's independance.

> NAT is not a security measure, but an administrative mechanism for saving
> IPv4 address space and nothing more.

	... and not being subjected to provider pressure.

-- 
 -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-
     «Pluto placed his bad dog at the entrance of Hades to keep the dead
      IN and the living  OUT!  The archetypical corporate firewall?»
                                                       - S. Kelly Bootle

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980602105525.36962>