Date: Tue, 2 Jun 1998 10:55:25 +0200 From: Philippe Regnauld <regnauld@deepo.prosa.dk> To: Chrisy Luke <chrisy@flix.net> Cc: Paul Emerson <paul@gta.com>, freebsd-net@FreeBSD.ORG Subject: Re: ipv6 network addresses Message-ID: <19980602105525.36962@deepo.prosa.dk> In-Reply-To: <19980602092305.52419@flix.net>; from Chrisy Luke on Tue, Jun 02, 1998 at 09:23:05AM %2B0100 References: <199806012000.QAA14487@gta.gta.com> <19980602092305.52419@flix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Chrisy Luke writes: > Paul Emerson wrote (on Jun 01): > > Repeat after me: All NAT solutions are not created equal. > > I don't see why "Making everyone come from the same address" is so > desirable. In itself it has no security built in, certainly none that > can't better be provided and tracked by a firewall. Good NAT solutions use a pool of addresses (i.e.: Cisco), where hosts seem to come from different addresses each time). This also allow for semi-permanent "two-way" setups, allowing for example ftp back-connect and other horrible things transparently. Using the same address for everything is in fact not recommended as it increases visibility for your nat box, and the chance of getting same port numbers decreases. Cisco calls this technique "overloading". > Good network numbering can do effectively the same job significantly > better and without overhead. It depends how big a fish you are. If you get your block of addresses from your provider, like I do, and interconnect the networks of some 8 different organization, then you don't want to have to renumber if you leave. And there's a fat chance you'll get router with less than /22, provided you had your own block in the first place. NAT is the poor man's independance. > NAT is not a security measure, but an administrative mechanism for saving > IPv4 address space and nothing more. ... and not being subjected to provider pressure. -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980602105525.36962>