IPv6

[Richard Pieri]

On Mar 31, 2011, at 10:20 PM, Rich Braun wrote:
> 
> IPv4 NAT makes such verification more or less impossible at the upstream ISP
> side. That's one thing I like about the status quo.

This is a myth.  It's quite possible and sometimes trivially easy for an ISP to determine if a customer has multiple devices behind NAT and to count how many are being used.  A simple method is to look at the time stamps on every packet.  Every OS has a known time stamp increment method.  If you watch how the time stamps change then you can identify the operating system.  If you see more than one OS then chances are that the customer has more than one running system behind NAT.  Related, no two system clocks are precisely in sync, not even with NTP.  If you see time stamps shift forward and backward in time then you have identified multiple nodes behind the NAT bridge.  There are other ways; these just happen to be two of the easiest ones.

Remember when I wrote that NAT provides zero security?  It really, really does provide zero security.  None whatsoever.  If you think it does then think again.

--Rich P.