Re: ISPs can easily decrease net abuse
From: Leythos (void_at_nowhere.com)
Date: Sun, 07 Dec 2003 20:23:33 GMT
In article <email@example.com>, firstname.lastname@example.org says...
> In article <MPG.email@example.com>,
> Leythos <firstname.lastname@example.org> wrote:
> >No it doesn't - you can use all of those services with NAT.
> As I've tried to explain, the workarounds that allow these
> technologies to work with NAT, like STUN, relays, UPnP,
> tunnelling, and so on create new problems, particularly
> around security. For example, these include the pseudo-nat
So, let me get this understood - you are staying that it's more secure
for a person to have a standard Windows based computer directly
connected to the internet than it is to have it behind a router
utilizing NAT (or PAT)??????
> attack, to which IKE and STUN are particularly vulnerable,
> wacky routing (tromboning), wasted bandwidth (headergrams as
And how much more does it waste to have large number of computers
infected with the slammer worm or any of the other worms as compared to
the overhead in the packet for NAT mapping?
> a consequence of encapsulation), and so on. It also costs a
> lot more to run networks that have NATs and NAT workarounds
> in them, not just because of the cost of the equipment but
> because of the additional complexity of the network and the
> increased likelihood of equipment failure.
We're talking about utilizing the ability ALREADY present in most of the
ISP's cable/dsl modems already installed at peoples homes - they are no
more likely to break or require maintenance because NAT is enabled.
There is not additional complexity involved in maintaining something
that is already installed, and enabling NAT would not generate any
significant maintenance issues for the ISP. Heck, I've been to clients
locations where the ISP had the cable/dsl modem running in NAT mode and
the customer had no idea - switching it to provide the public IP took a
couple minutes setup time from a remote location for the ISP and didn't
break anything either.
> As someone a lotsmarter than me once said, "The answer to crud in the
> network is not more crud in the network."
It's already in the network, it's already used by people and companies
all over the globe, it's already used in homes, it's not adding
Funny how a company using the 10.0.0.0/16 subnet can have offices in all
parts of the world, utilizing NAT, and still be able to communicate with
each other, have their employees work remotely from anywhere, and
provide services to the entire company behind a NAT based system...
> >I suppose that you are
> >completely fine with the idea of open-relays for SMTP and that the idea
> >of an open FTP server on your neighbors computer doesn't bother you
> That's a pretty stupid thing to say, don't you think? What
> I'm saying is that if you want to provide policy-based
> filtering, use a technology that's capable of actually
> providing policy-based filtering, like a firewall. NAT is
> the wrong answer to that question, and why somebody would
> argue for its use even while the right answer (firewalls) is
> just as easily available is somewhat mysterious.
I'm not saying the ISP should provide anything, just enable the BUILT-IN
feature on most of their cable/dsl modems, NAT, for home users, in order
to prevent most of what happens to home users that do not know enough to
purchase some border or personal firewall appliance or software.
NAT is a simple solution to a large problem, while it's not the best
solution, it's one that is freely available, costs nothing to the ISP or
the customer, does not detract from the users experience, and provides a
layer of protection that the unknowing user absolutely needs.
Implementation of NAT at the cable/dsl modem does NOT increase the
security risks, it DECREASES them. Consider the ENTIRE picture before
you respond, not just single points of it.
-- -- email@example.com (Remove 999 to reply to me)