lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 29 Nov 2011 10:19:21 +0100
From:	Ulrich Weber <ulrich.weber@...hos.com>
To:	Amos Jeffries <squid3@...enet.co.nz>
CC:	"sclark46@...thlink.net" <sclark46@...thlink.net>,
	"kaber@...sh.net" <kaber@...sh.net>,
	"netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [RFC PATCH 00/18] netfilter: IPv6 NAT

Please dont' let this deviate to a flame war.
I just said there are use cases, nothing more, nothing less.

This is software. There are lots of ways to archive the same goal.
Every solution has its pro and cons, its not always black and white.


On 28.11.2011 23:03, Amos Jeffries wrote:
> I'm going to dare to call FUD on those statements...
>    * Load Balancing - what is preventing your routing rules or packet
>   marking using the same criteria as the NAT changer? nothing. Load
>   balancing works perfectly fine without NAT.
>
Nothing, you archive the same in a different way.
However keep in mind that not all computers out there run Linux.

Its quite simple to setup NAT rules, they work with every OS.

On the other hand, balancing by changing MAC address or
IPv6inIPv6 Tunnels can be a headache, getting this going with
Windows, Mac, Solaris and so on.

Issues with DAD and source address selection doesn't make it easier.
Have a look at net/netfilter/ipvs/ip_vs_xmit.c. There is a reason, why
NAT for IPv6 is already in the Kernel since three years.

>    * outgoing packet control - packets will happily leave the "wrong"
>   interface after NAT unless you add routing and firewall controls
>   separate to NAT. Packet control works *better* without NAT erasing
>   original IP information resulting in mistakenly NAT'ed packets go out
>   the wrong interface.
>
>
I fully agree. NAT can not replace your firewall rules.

However with NAT you could get some kind of anonymity.
Think of Tor: If your server/client operates with private IP addresses,
your public IP address is still masked after a security breach.

>   I have long been of the opinion that all NAT really offers is the
>   ability to easily and cleanly multi-home several global public prefixes
>   from a unified PI space. This is a very important aspect for some
>   networks, even with plentiful IPv6 addresses.
Also in my opinion the most important reason for NAT.

Cheers
  Ulrich

-- 
Ulrich Weber | ulrich.weber@...hos.com | Senior Software Engineer
Astaro - a Sophos company | Amalienbadstr 41 | 76227 Karlsruhe | Germany
Phone +49-721-25516-0 | Fax –200 | www.astaro.com

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ