True, there's no additional security in NAT. In theory. In practice, NAT completely changed the way most Windows machines are broken. Back in the late 90s, Windows machines were usually taken out by smashing some part of the network stack. Nowadays that pretty much never happens. Almost all attacks go in through the browser, Flash, or just as trojans via email. Why? NAT. True, MS did spend a fair amount of time cleaning up their network stack but that's moot since it's all hidden behind NAT anyway. I agree, NAT is a horrible horrible thing to do. But it's real-world benefits are unassailable. It's a non-negotiable one-button firewall deployable worldwide. It single-handedly cleaned up broken firewalls all over the country, from mountain shacks to multi-thousand-node office networks. Buy a box, plug it in, and you're safer. Period. No other network security innovation has brought about such a profound positive change for so many people, not even SSH. So, when you say NAT should die (and I'm all for it), you're actually saying that NAT should be replaced by something even better right? Something that carefully studies the networking lessons from the last ten years and improves on it? Because simply abandoning NAT would be a big step backward for most people and would reopen a lot of attack vectors which are currently nicely shut. The IPv6 team doesn't seem to understand this. Yes, I'm worried.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds