In message <cap-gugxxm_dci6qrzr2aqmfonkh0afs2xdvvy-h-mpdxcrr...@mail.gmail.com> , William Herrin writes: > On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews <ma...@isc.org> wrote: > > Given that most NATs only use a small set of address on the inside > > it is actually feasible to probe through a NAT using LSR. > > Most attacks don't do this as there are lots of lower hanging fruit > > Mark, > > My car can be slim-jimmed. Yet the lock is sufficiently operative in > the security process that the two times the vehicle has been broken in > to the vagrant put a rock through the window instead of jimmying the > lock. > > That's what it MEANS when you say that there's lower hanging fruit to > be found elsewhere. It means that the feature you're describing is > operative in the process of obstructing an attacker. > > As an aside to the debate, I boldly suggest that any firewall vendor > which actually implements LSR or any of the IP source route > functionality anywhere in their code deserves to be tarred and > feathered. The security implications of source routing have been long > understood. Code which implements source routing has no business > existing in a commercial firewall product where it could accidentally > be called. Please, by all means, take this opportunity to out any such > errors which you can document.
Indeed. A NAT mangles packets. A firewall provides protection. You can combine the two but expecting one to do the job of the other is just wrong and doesn't work. > Regards, > Bill Herrin > > > --=20 > William D. Herrin ................ her...@dirtside.com=A0 b...@herrin.us > 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> > Falls Church, VA 22042-3004 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org