Date: 28 Sep 2001 12:16:16 -0700 From: swear@blarg.net (Gary W. Swearingen) To: Kutulu <kutulu@kutulu.org> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: 127/8 continued Message-ID: <mzy9mzjfcv.9mz@localhost.localdomain> In-Reply-To: <5.1.0.14.0.20010927140705.009ffc60@127.0.0.1> References: <200109271411.f8REBNH02164@c1828785-a.saltlk1.ut.home.com> <20010924094048.X5906-100000@coredump.scriptkiddie.org> <20010926134253.A65444@mushhaven.net> <i5vgi5tx0h.gi5@localhost.localdomain> <200109271411.f8REBNH02164@c1828785-a.saltlk1.ut.home.com> <5.1.0.14.0.20010927140705.009ffc60@127.0.0.1>
next in thread | previous in thread | raw e-mail | index | archive | help
Kutulu <kutulu@kutulu.org> writes: > In order for the machines on your network to communicate with the > outside world, they will either need public, routable IP addresses (all > of them, not just your firewall), or you will need to run NAT somewhere. > If your firewall has a private IP of 10.0.0.2, for example, even if it > routes traffic correctly to the DSL router, once that packet hits the > public internet there's no way to know how to get back to your 10.0.0.2. Nobody should be TRYING to get back to 10.0.0.2; the packet src & dst are all Internet addresses and the DSL and firewall routers should be able to communicate privately. The other end of my DSL connection looks like a router with a public address that some other router uses as a gateway for packets to my workstation or server. As far as the world should know or care, the DSL router and my firewall router are a single router. No? > > How does translating IP addresses help with security, as long > >as the translation is transparent? > > The benefit is not really security here. The benefit is, you can have > machines on the same logical subnet on different physical segments. That's what I was thinking (on both counts), except I wonder why that is "not really" instead of "not". > This is actually what NAT was originally designed for. It allowed > people with a limited number of IP's (ie, one from their dial up > provider) to handle traffic for multiple separate machines). The > security aspects are really just a nice side effect. Again, what security aspects? > The deficiency here is really in IP itself. The IP protocol was built > around the assumption that IP networks would be physically segmented in > the same basic structure as they were logically segmented. Each > separate IP subnet is assumed to be a separate physical network segment, > and thus, all machines on that IP subnet should be directly reachable > through the attached interface. And this is still the case the vast > majority of the time. For those times when it is not the case, there > are static routing kludges, and NAT, to take case of it. Assumptions that were reasonable when made, but are giving lots of people grief now. The work-arounds are awkward, partially broken, complicated, or otherwise costly of SA time, IP address, etc. Room for someone to innovate, but maybe it's better they work on IPv6. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?mzy9mzjfcv.9mz>