Re: How to find NAT'ed address
From: Dave Phelps (tippenring@deadspam.com)Date: 08/23/02
- Next message: : "Re: China Replaces Windoze With Linux, World To Follow"
- Previous message: Mikey: "Norton Internet Security"
- In reply to: : "Re: How to find NAT'ed address"
- Next in thread: : "Re: How to find NAT'ed address"
- Reply: : "Re: How to find NAT'ed address"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Dave Phelps <tippenring@deadspam.com> Date: Thu, 22 Aug 2002 21:26:20 -0500
In article <ak0dap$bt6$1@panix2.panix.com>, shore@panix.com says...
> Let's be clear on something - address space was and is
> available (current utilization is ~50%), but because of the
> way distribution and ownership of addresses are handled the
> folks who own address blocks benefit economically from
> creating a false scarcity. They make money selling
> addresses. This is a political and economic problem, not
> technical.
That is probably true. However, I believe that, whatever the reason,
without the address space conservation that has occurred, address space
would probably be nearly consumed by now.
>
> Nevertheless, there is a technical solution, and that's
> IPv6. Over the medium-to-long term a transition to v6 is
> almost certainly less expensive than continuing to pile on
> NAT workarounds.
Very true.
>
> Let's say that I run an IP-based PBX for my company and I
> find that calls cannot get through my firewall/NAT. I cast
> around for a solution, like people do here, and I get a
> response from company Splortsoft who tells me that their
> software will solve the NAT traversal problem and that it
> won't introduce any additional security holes. In point of
> fact it *does* introduce security holes by providing a means
> to defeat local firewall policy - after all, if firewall
> policy "understood" telephony protocols I wouldn't need to
> buy anything from Splortsoft, right? A wiser person than me
> once said that there are no side effects, only effects, and
> in this case it shouldn't be surprising that the stuff from
> Splortsoft allows malicious contravention of firewall policy
> in addition to allowing NAT traversal by protocols we like.
> So here I am, the beleaguered network administrator,
> installing software that allows people to violate the
> policies I'm trying to enforce. At this point it would make
> more sense to chuck both the firewall and the software from
> Splortsoft and get myself some addresses.
Using your example, you are not enabling anyone to violate firewall
policy. Installing the Micro^H^H^H^H^HSplortsoft product simply fixes
the necessary translations to trick the IP PBX software into thinking it
has public IP's. You still have to create a rule to allow the traffic
thru the firewall. It's no different than if you had public addresses.
You would still have to permit the traffic thru the firewall. Surely you
wouldn't abandon the firewall once you got public addresses?
>
> >Overall, I agree with you that NAT has made a nuisance of itself in
> >soime cases, but I believe that the inconveniences of NAT are FAR
> >outweighed by what NAT has made possible for Internet connectivity.
>
> There *is* an alternative.
>
> (Trivial point, but a pet peeve nevertheless - the things
> under discussion are "addresses," not "IPs.")
Point taken. It's just easier to say "IPs" than say "addresses".
-- Dave Phelps Phone Masters Ltd. deadspam=tippenring
- Next message: : "Re: China Replaces Windoze With Linux, World To Follow"
- Previous message: Mikey: "Norton Internet Security"
- In reply to: : "Re: How to find NAT'ed address"
- Next in thread: : "Re: How to find NAT'ed address"
- Reply: : "Re: How to find NAT'ed address"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
