Hi Roger,
On Oct 29, 2010, at 9:19 PM, Roger Marquis wrote:
_Also_? Some? Really? I don't mean to question Margaret's
experience
but I have to wonder what this statement is based on.
My statements are based on statements made by others here on this
list, and at presentations of NAT66, as well as my work experience at
companies that chose to use NAT for various reasons. I have managed
IT, run enterprise networks and/or been involved in network planning
for a few small-to-medium-sized enterprises, and we chose to use NAT
on most of those networks for various reasons.
Some people say that NAT66 (as defined in the NAT66 document) will
address their needs for NAT in IPv6. They want to use NAT in IPv6 for
address independence, and they do not desire the other features/side
effects of NAPT -- blocking inbound connections, forcing multiple
nodes to use a single address which interferes with tracking/
identification of individual nodes outside the NAT, port sharing which
results in several nodes having only one instance of a given port, etc.
Some people say that they need a IPv6 NAT box that blocks all incoming
connections (unless they intentionally let something in). At least
some of this group would be happy with a device that combines NAT66
and a stateful firewall that defaults to a closed configuration (as
mentioned in this draft). I am not sure that I understand how/if an
IPv6 NAPT box would meet this need better than a NAT66/Stateful FW
combination, as long as the stateful firewall "failed closed", as you
say. Can you explain why you view NAPT as a better solution than a
NAT66/Stateful FW combination?
Other people actually seem to _want_ to have multiple internal nodes
addressed at a single IP address using port translation. In most
cases I've heard described, this is desired for its "topology hiding"
properties. The ability to track/identify individual nodes outside
the site can go both ways -- it can make it easier for network
administrators to locate/diagnose network issues, but it also makes it
easier for attackers to identify individual nodes to attack. I've
heard people argue on both sides of this issue.
For folks who only want NAT for address independence, NAT66 (possibly
combined with a stateful firewall) provides that, without all of the
other NAT side effects. For folks who actually _want_ the properties
and/or side effects of sharing a single address among multiple nodes,
NAT66 won't do what they want, and they will ask their vendors for
something else. That "something else" may be defined by the IETF or
by customers/vendors, but it is not the intended subject of discussion
on this list.
Margaret
Most of us
security professionals use NAT to block _all_ incoming connections
_by_default_. This is known as fail-closed.
Internal hosts that need static mappings to external IPs get them, as
exceptions to the default rule.
Question for Margaret: would you consider firewalls that fail-open
to be
best practice? If not then why do you consider that model to be
appropriate when applied to NAT66?
I think it would make sense for the IETF to look into those use
cases in
more detail, as was already done for CPE equipment.
Why would the IETF analyze what is codified in nearly every firewall
security policy and standard practice across the overwhelming
majority of
home and business uplinks?
Roger Marquis
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
