On Wed, Nov 16, 2011 at 11:11 AM, Owen DeLong <owen@delong.com> wrote:
On Nov 15, 2011, at 2:01 PM, William Herrin wrote:
On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <marka@isc.org> wrote:
If you want to use unroutable addresses then use a bastion host / proxy.
What is a modern NAT but a bastion host proxy for which application compatibility has been maximized?
It is a mechanism for header mutilation which creates additional costs in hardware (cost of routers), software (development of NAT traversal code in various applications, NAT software in some cases), security (NAT obfuscates audit trails and increases the difficulty and cost of event correlation, forensics, abuser identification, and attack source identification and mitigation, etc.).
In other words, all of the things a proxy does but without sacrificing as many applications. -Bill -- William D. Herrin ................ herrin@dirtside.comĀ bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004