Hacker News new | past | comments | ask | show | jobs | submit login

The brilliant and problematic property of the translation (and why I think it will catch up) is that it allows to easily make your today's problems someone else's problems five years down the road. Noone gives a ding about what happens in five years in one's network - let alone the larger internet.

BTW, next time you talk with the "address-hiding security" fans, check what result they get from http://panopticlick.eff.org/ - very curious!




I'm one of those "address-hiding security" fans - I've architected and deployed more than 7 million (currently operational) IPv6 nodes, 100% of them in RFC 4193 space. We have many layers of security. Link Layer Security, Application Layer Security, Firewall Security, IPsec Security, App Transport Security in addition to the non-routability security.

I've never understood security professional who turn their nose up at the usefulness of using a non-routable IP address in your environment. It's always seemed self evident to me, that putting your resources on something like "192.168.1.5" - on an internal network, in addition to all of the other steps you take, would be yet another layer of defense that makes an attackers life difficult. And, in an enterprise environment, I would rather optimize for security than ease of two-way communication with external entities.


Do you really NAT all those meters though? It seems much more likely to me that you only have one or two specialized ALG's running.

One to many NAT really makes an attackers life easier in a lot of ways - at least as far as computer networks that support active users. NAT makes it much easier to hide from flow analysis and IDS and the proliferation nat traversal and tunnels to escape NAT make it much harder to spot rogue traffic. Lets not forget the classes of attacks that private v4 space has eased like DNS rebinding and home router attacks.

It's interesting, the only network I knew of that was ip6, aggressively secured and that many nodes is DISA which definitely doesn't allow any public network traffic - and yet uses global address space.


Once again - "addressability != accessibility". I think the benefits of being able to reference the host even if for abuse tracking, or netflow cross-correlation, etc. - outweigh the obscurity advantages of NATs.

If I were concerned to have a diode-like gateway, I'd get a stateful firewall, or on cisco boxes, configure the reflexive ACL. It comes for free with the base code, IIRC.

This all said - each individual network's mileage can vary, so we could argue till dawn - and I think we'd need to agree to disagree on the matter of the "security of NAT" :) If it makes someone sleep better - I think it's served its purpose. Much like throwing away the soda bottle before boarding the plane.


> I would rather optimize for security than ease of two-way communication with external entities.

So in case of your networks Skype traffic will go though third-party servers ...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: