RE: RFC1918 addresses to permit in for VPN?
So the picture that emerges is that Randy is very definitely speaking of NAT as Bi-directional or Two-Way NAT (in the terminology of RFC 2663), where no address conservation is practiced, and machines with private addresses are directly reachable via public addresses, through a fixed incoming mapping applied by the NAT device.
umm, fixed is not a requirement here. you can go two way through addresses allocated out of a pool easily enough. yes, the hacker won't have control over what is in the pool that he is trying to hack into, and the externally visible addresses of systems may change, but as long as the NAT is being done and is two way, there are things which are subject to attack. the combination of RFC 1918 space and NAT is a sorry excuse for security. you need some sort of packet filtering or access control on the path, possibly in the box doing the NAT, possibly in some other box, but you _must_ have it. if a network is completely isolated from the public internet, then the RFC1918 issue is irrelevant, as the network is inaccessible regardless of what network addresses are being used. richard
participants (1)
-
Richard Welty