On Wed, Nov 16, 2011 at 11:11 AM, Owen DeLong <o...@delong.com> wrote: > On Nov 15, 2011, at 2:01 PM, William Herrin wrote: >> On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <ma...@isc.org> wrote: >>> If you want to use unroutable addresses then use a bastion host / >>> proxy. >> >> What is a modern NAT but a bastion host proxy for which application >> compatibility has been maximized? > > It is a mechanism for header mutilation which creates additional costs > in hardware (cost of routers), software (development of NAT traversal > code in various applications, NAT software in some cases), security > (NAT obfuscates audit trails and increases the difficulty and cost of > event correlation, forensics, abuser identification, and attack source > identification and mitigation, etc.).
In other words, all of the things a proxy does but without sacrificing as many applications. -Bill -- William D. Herrin ................ her...@dirtside.comĀ b...@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
