[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-ietf-v6ops-nap-00.txt & NAT security [2.2]

To: v6ops@ops.ietf.org
Subject: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
From: alain@tycool.net (Alain Durand)
Date: Mon, 4 Apr 2005 12:59:53 -0700 (PDT)

I've been reading again section 2.2

2.2  Simple security due to stateful filter implementation

I think this section is a bit weak.

If someone install a NAT box at home, by default,
it will prevent incoming connections, and this
is widely percieved as a security function.

The point that trojan horses do exist and that the dynamic
mapping does not provide real security is true.
However, the classic counter arguments come in two flavor:
	- oh, but the NAT boxes are labeled security devices
	so it must be true.
	- "defense in depth" is what more knowledgebla people
	would answer.

So you expect to convince home user and IT department that
they should then give up on what they considered as
"state of the art security", you are facing an uphill
batttle and you will need much more than the current
text in section 2.2.

	- Alain.

Follow-Ups:
- Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
  - From: Brian E Carpenter <brc@zurich.ibm.com>

Prev by Date: Re: draft-ietf-v6ops-nap-00.txt <PROXIES>
Next by Date: Re: draft-ietf-v6ops-nap-00.txt <PROXIES>
Previous by thread: draft-ietf-v6ops-bb-deployment-scenarios-01.txt
Next by thread: Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Index(es):
- Date
- Thread