[ale] OT move to new Colo that wants to use NAT

Jim Popovitch yahoo at jimpop.com
Mon Nov 10 09:26:26 EST 2008


2008/11/10 Michael H. Warfield <mhw at wittsend.com>:
>        Getting PI (Provider Independent) allocations out of ARIN is extremely
> difficult and going to get more so.  I believe at one time you could not
> get anything smaller than a /19 (i.e. you could not get a /20 from ARIN
> directly).  That's 8192 addresses.  If you can not justify the immediate
> use and application of a very sizable portion of that allocation you
> will not get it.
>
>        This situation is going to get much worse.  Current predicted runout of
> IPv4 addresses is now projected to be sometime in 2010 to 2011.  It's
> just been announced that the final, last 5, IPv4 /8 blocks from IANA
> have been allocated to the regional registrars, one to each RIR (ARIN,
> RIPE, APNIC, LACNIC, AFRINIC).  That's it folks, no more, they're all
> gone from IANA.  Now as ARIN runs down their allocations, they're going
> to get tighter and tighter on their policy because the IANA well is now
> dry.  They can't get any more, themselves.

Good point.  All those NAT'ed /8's should give them up. ;-)

>> IMHO, their move to do this is both good and bad.  Good because it
>> protects the idiots who lease systems they don't know how to secure,
>> bad because it removes capabilities that quality technical folks need.
>
>        NAT provides no security.  That's a total myth.

Not true.   It all depends on the NAT config.   If you are port
forwarding every port, well of course it's no better.   But if you are
only fwd'ing port 80 to a NAT'ed IIS server on Win2K....

> Private address space != secure.

Correct, but private address space != insecure.

> That's been proven by multiple break-ins and trojans
> with reverse shells for years.  The only security that comes from NAT

Wait! I thought there was no security in NAT?

> derives purely from it's connection state machine which is the same
> thing in a stateful firewall.  The address translation itself, provides
> no additional security only a false sense of security to the fools who
> rely on it.

NAT alone is not enough, but as part of a layered approach it's value
is underrated.

Take the hosting question in this thead.   Is there ever a
well-configured stateful firewall inside a ISP's colo DC?  ;-)

-Jim P.


More information about the Ale mailing list