[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Failure modes: NAT vs SPI
- Subject: Failure modes: NAT vs SPI
- From: iljitsch at muada.com (Iljitsch van Beijnum)
- Date: Thu, 3 Feb 2011 20:47:48 +0100
- In-reply-to: <[email protected]>
- References: <[email protected]>
On 3 feb 2011, at 20:09, Jay Ashworth wrote:
> That's the expansion of "fails safe".
You conviently overlook my earlier message about this.
But sure, let's assume that at some point, some packets from the outside manage to pass through to the inside in the IPv6 case. So how does anyone know where to send these packets in the first place? And if they do, what bad effects exactly do packets coming from the outside have? Ping of death has been fixed a loooong time ago.
And you assume that NATs block packets very well. They don't. First of all, there's uPNP IGD and NAT-PMP. Depending on the type of NAT, the bindings are quite loose and allow lots of additional packets that don't belong to the NATed sessions in. After all, NATs only break incoming sessions by accident. Firewalls do this on purpose, so they do a much better job.