From owner-freebsd-net  Tue Jun  2 01:56:31 1998
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA16933
          for freebsd-net-outgoing; Tue, 2 Jun 1998 01:56:31 -0700 (PDT)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA16919
          for <freebsd-net@FreeBSD.ORG>; Tue, 2 Jun 1998 01:56:25 -0700 (PDT)
          (envelope-from regnauld@deepo.prosa.dk)
Received: from mail.prosa.dk ([192.168.100.2])
	by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id KAA11027;
	Tue, 2 Jun 1998 10:56:22 +0200 (CEST)
	(envelope-from regnauld@deepo.prosa.dk)
X-Authentication-Warning: mail.ftf.dk: Host [192.168.100.2] claimed to be mail.prosa.dk
Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10])
	by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id KAA19784;
	Tue, 2 Jun 1998 10:57:32 +0200 (CEST)
Received: (from regnauld@localhost)
	by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id KAA17134;
	Tue, 2 Jun 1998 10:55:26 +0200 (CEST)
Message-ID: <19980602105525.36962@deepo.prosa.dk>
Date: Tue, 2 Jun 1998 10:55:25 +0200
From: Philippe Regnauld <regnauld@deepo.prosa.dk>
To: Chrisy Luke <chrisy@flix.net>
Cc: Paul Emerson <paul@gta.com>, freebsd-net@FreeBSD.ORG
Subject: Re: ipv6 network addresses
References: <199806012000.QAA14487@gta.gta.com> <19980602092305.52419@flix.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Mailer: Mutt 0.88e
In-Reply-To: <19980602092305.52419@flix.net>; from Chrisy Luke on Tue, Jun 02, 1998 at 09:23:05AM +0100
X-Operating-System: FreeBSD 2.2.6-RELEASE i386
Organization: PROSA
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Chrisy Luke writes:
> Paul Emerson wrote (on Jun 01):
> > Repeat after me: All NAT solutions are not created equal.
> 
> I don't see why "Making everyone come from the same address" is so
> desirable. In itself it has no security built in, certainly none that
> can't better be provided and tracked by a firewall.

	Good NAT solutions use a pool of addresses (i.e.: Cisco),
	where hosts seem to come from different addresses each time).
	This also allow for semi-permanent "two-way" setups, allowing
	for example ftp back-connect and other horrible things transparently.

	Using the same address for everything is in fact not recommended
	as it increases visibility for your nat box, and the chance
	of getting same port numbers decreases.  Cisco calls this
	technique "overloading".

> Good network numbering can do effectively the same job significantly
> better and without overhead.

	It depends how big a fish you are.  If you get your block of
	addresses from your provider, like I do, and interconnect
	the networks of some 8 different organization, then you don't
	want to have to renumber if you leave.  And there's a fat chance
	you'll get router with less than /22, provided you had your own
	block in the first place.

	NAT is the poor man's independance.

> NAT is not a security measure, but an administrative mechanism for saving
> IPv4 address space and nothing more.

	... and not being subjected to provider pressure.

-- 
 -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-
     «Pluto placed his bad dog at the entrance of Hades to keep the dead
      IN and the living  OUT!  The archetypical corporate firewall?»
                                                       - S. Kelly Bootle

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message