[AusNOG] Data Retention and CGNAT - educational exercise

Nick Stallman nick at agentpoint.com
Thu Mar 26 11:35:46 EST 2015


I was refering to stuff like this:
https://isc.sans.edu/forums/diary/New+tricks+that+may+bring+DNS+spoofing+back+or+Why+you+should+enable+DNSSEC+even+if+it+is+a+pain+to+do/16859/

It would only be a security issue in certain cases, but if the set of 
ports was consecutive and not pseudo randomised it could reduce security 
of some applications which utilise random source ports.

On 26/03/15 11:31, Sid wrote:
> Hi Nick,
>
> On 26 Mar 2015, at 03:28, Nick Stallman <nick at agentpoint.com 
> <mailto:nick at agentpoint.com>> wrote:
>
>> What security concerns would there be to reducing the source ports 
>> from 65535 to 100?
>> They are usually kept pretty random for a reason aren't they?
>
> I guess it depends on what you want out of CGNAT. As the RFC linked by 
> Scott says, you don't get better or worse security over a non CGNAT 
> setup with algorithmic NAT allocation.
>
> (That RFC again: https://www.rfc-editor.org/rfc/rfc7422.txt )
>
> I've never setup a CGNAT. But if it was for internet end users as an 
> ISP, I can't see it being implemented for security reasons - only as a 
> resource preservation mechanism. "Security" would just be a byproduct.
>
> If you are setting up any NAT solution specifically for some level of 
> "security", then that changes things.
>
> Sid

-- 
Nick Stallman
Agentpoint Pty Ltd
The Real Estate Web Developers
Melbourne | Sydney | Miami
nick at agentpoint.com
www.agentpoint.com.au | www.zooproperty.com | www.ginga.com.au | 
www.business2.com.au

Business2.com.au is a real estate agent information website that helps 
you understand Portals, Technology and comes with FREE tools to help 
your Agency become an online success!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150326/068bcdfc/attachment.html>


More information about the AusNOG mailing list