> On Jun 14, 2016, at 11:57 , Ricky Beam <jfb...@gmail.com> wrote:
> 
> On Sun, 12 Jun 2016 19:47:18 -0400, Owen DeLong <o...@delong.com> wrote:
>>> NAT may not be security, yet it's the only thing securing billions of 
>>> people.
>> 
>> Nope… NAT Can’t be done without stateful inspection.
> 
> Negative.
> - 1:1 NAT (inside address A == outside address B) requires no state of any 
> kind.

Sigh… This is not the kind of NAT we are talking about here. We are talking 
about address multiplexing NAT.

1:1 NAT provides no security whatsoever, either.

> - Connection Tracking is not stateful inspection

Yes, actually, it is a form of stateful inspection.

> - NAT Helpers / ALG / etc. (things that look for embedded addresses) aren't 
> "stateful inspection”

Yes, actually, they are part of the more general category of stateful 
inspection.

> The only "security" one gets from NAT comes from the lack of outside 
> visibility through the NAT. An outside host cannot initiate a connection to 
> any specific inside host of their choosing.

If you are doing 1:1 NAT without stateful inspection, you don’t get this.

> I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6 traffic. 
> IPv4 goes through NAT, so one gets the pseudo-security of not being directly 
> touchable from the internet.

Those are by definition poorly designed CPE. We used (and arguably still do) 
have lots of poorly designed IPv4 CPE, too.

Blaming the protocol for bad CPE design is kind of silly.

Each and every one of those CPEs you describe _IS_ doing some form of stateful 
inspection of the packet in order to be able to perform its translation 
function or drop the unrelated packet.

An open 1:1 NAT with no stateful inspection is no more secure than a direct 
route. Changing the packet header doesn’t make you any less reachable.

In fact, it further proves my point that no security comes from the NAT itself, 
but, rather from the validation of inbound packets as to whether they match an 
existing outbound session or not. That validation, however it is done, _IS_ 
stateful inspection. Without it, you’ve offered no security advantage and 
prevented no reachability.

Owen


Reply via email to