On Sun, 12 Jun 2016 19:47:18 -0400, Owen DeLong <o...@delong.com> wrote:
NAT may not be security, yet it's the only thing securing billions of
people.
Nope… NAT Can’t be done without stateful inspection.
Negative.
- 1:1 NAT (inside address A == outside address B) requires no state of any
kind.
- Connection Tracking is not stateful inspection
- NAT Helpers / ALG / etc. (things that look for embedded addresses)
aren't "stateful inspection"
The only "security" one gets from NAT comes from the lack of outside
visibility through the NAT. An outside host cannot initiate a connection
to any specific inside host of their choosing.
I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6
traffic. IPv4 goes through NAT, so one gets the pseudo-security of not
being directly touchable from the internet.
