[AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice bloke ; -)

[Robert Brockway]

On Fri, 1 Aug 2008, Mark Newton wrote:

Hi Mark.  First off, thanks for taking the time to make the long reply.

> I don't think anyone is equating the two issues in the way you've
> described.  It might be useful for you to assume that those in this
> thread who have taken a contrary view have a full and complete
> understanding of the problem and simply disagree with you.

I'd love to do that, but honestly I was wondering.  Sorry if that sounds 
rude on a tech list but the question really was in my mind.  The 
discussion seemed to be circling around a pretty obvious point (use of a 
firewall), that was so relevant to the conversation that it at least 
needed to be mentioned (if only because the poster wanted to rule it out).

[SNIP extensive discussion of NAT security]

> So -- although NAT != security, what NAT *does* do is make your
> firewall fail-safe.  The preference in the event of a bug when

This is the key point here.  I had actually already considered this line 
of reasoning as I wrote my last post and I had came to two conclusions:

1.  There is no reason to assume the NAT code is any more or less buggy 
than the firewall code.  As you note, they are probably both pretty bad.

2.  There is no intrinsic reason to assume that NAT is any more or less 
likely to fail-safe than a firewall.

A failing firewall may lock everything out or it may open everything up to 
the world.  A failing NAT may cease to translate anything or it may 
translate everything.

Well I've said what I wanted to say, so that's pretty much it from me 
unless the thread takes a major change in direction.

Cheers,

Rob

-- 
"With sufficient thrust, pigs fly just fine..."
 	-- RFC 1925 "The Twelve Networking Truths"