[ipv6hackers] Is there a telecom company which adpated IPv6 network on LTE?

[Doug Barton]

On 08/19/2013 03:48 AM, Marco Ermini wrote:
> Well, of course hiding the source network and ports*is*  a security
> measure. It is not of course*the*  security measure, you cannot rely on
> that against attacks, and it is not originated from security requirements,
> but in the context of a defence in depth approach, NAT has its place.

Marco,

In the context of a defense in depth approach, please define what attack 
surface NAT is helping you defend.

The modern, even marginally sophisticated attacker is already inside the 
network nowadays; with spear fishing attacks, or even the typical 
pervasive malware that end users just love to click on. Attacks are not 
something that happen "from outside" the network anymore.

... and even when they were, NAT still didn't help. The typical attack 
scenario "from outside" was that a bastion host would get compromised, 
then the attacker would use that host to gain knowledge of the internal 
network to find their next, juiciest targets. Often those would not be 
things that were communicating to the outside world much, if at all, in 
any case.

Further, things like e-mail will give an attacker information about 
where a specific host is located on the internal network even if the 
system is using 1918 space.

The one security feature that NAT provides as a pleasant side effect is 
a SPIF, but you can have that without NAT.

If you disagree with my reasoning here please provide some concrete 
examples of real world attack scenarios where NAT helps. Simply saying 
"hiding the internal network structure is a good thing" is not sufficient.

Doug