North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: RFC1918 addresses to permit in for VPN?
> So the picture that emerges is that Randy is very definitely > speaking of NAT as Bi-directional or Two-Way NAT (in the terminology > of RFC 2663), where no address conservation is practiced, and > machines with private addresses are directly reachable via public > addresses, through a fixed incoming mapping applied by the NAT > device. umm, fixed is not a requirement here. you can go two way through addresses allocated out of a pool easily enough. yes, the hacker won't have control over what is in the pool that he is trying to hack into, and the externally visible addresses of systems may change, but as long as the NAT is being done and is two way, there are things which are subject to attack. the combination of RFC 1918 space and NAT is a sorry excuse for security. you need some sort of packet filtering or access control on the path, possibly in the box doing the NAT, possibly in some other box, but you _must_ have it. if a network is completely isolated from the public internet, then the RFC1918 issue is irrelevant, as the network is inaccessible regardless of what network addresses are being used. richard