Hot Diggety! Derek J. Balling was rumored to have written: > > > answering the question: WOULD it have ever forwarded if you had > > routable IPs behind it? Did RFC1918 ever really save you? And if > > not, why hold onto it? > > If I never had a specific rule "forward a connection inward to > $PRIVATE_IP_OF_SERVER", then the level of fat-fingering required for > an inward NAT rule to spring into existence is significantly higher > than for the amount needed to accidentally open a > wider-hole-than-average to routable addresses. > > IE, in a publicly-routeable address scenario, all that has to happen > is for a single allow rule to be miswritten, and you can accidentally > expose your entire infrastructure. > > In a NAT'ed world, it requires both a misconfigured allow rule *AND* > the accidental creation of static-NAT inward-mappings. > > So, it stands to reason that the *former* error-mode, requiring only > one concurrent error, is more likely than the *latter* error mode, > requiring two or more concurrent errors. > > And if you can place an additional road-block or speed-bump into the > path of a potential security violation, why wouldn't you do so?
To summarize Derek's position: IPv4 NAT fails safe, IPv6 -- not so much. I'm still undecided, though with reasonable change control and cross verification procedures, I think I'd probably find it to be an acceptable risk for use of IPv6 NAT given needs. I can certainly see it both ways, though. (IPv6 with or without NAT.) I'm certainly amused about how IPv6 (in general, not related to this thread) has slowly moved from 'IPv6? What's that?' to 'IPv6? We might need it... in another 30 years' to 'IPv6? Hey, where can I find good books to cram on it super quick?!' :-) -Dan _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
