Re: NAT-IPv6
In message 001501bfaf43$127e4d00$[EMAIL PROTECTED], "Eliot Lear" writes: It is a complete fallacy that NAT provides any sort of security. It does no such thing. Security is provide by a firewall, and (more importantly) by strong security policies that are policed and enforced. Eliot is absolutely right. A NAT box *might* be part of a firewall, but by itself it isn't one. It's no more secure, and often less so, than an application-level firewall. The myth that NATs per se provide strong security is one of the greatest barriers to their elimination. --Steve Bellovin
Re: NAT-IPv6
From: "Steven M. Bellovin" [EMAIL PROTECTED] In message 001501bfaf43$127e4d00$[EMAIL PROTECTED], "Eliot Lear" writes: It is a complete fallacy that NAT provides any sort of security. It does no such thing. Security is provide by a firewall, and (more importantly) by strong security policies that are policed and enforced. Eliot is absolutely right. A NAT box *might* be part of a firewall, but by itself it isn't one. It's no more secure, and often less so, than an application-level firewall. You both right ... from strong point of view. But if intruder can't hook target host simply because he does not know - how he can open TCP to it then it is also part of security. The myth that NATs per se provide strong security is one of the greatest barriers to their elimination. It is not a myth. It is level of thinking. If you setup only firewall and you are not very good network engineer you can't understand where could be the next threat. Your TCP stack/firewall/etc may have a bug, some new protocol may have a misdesign. But anybody clear understand that if your internal hosts do not have a public address then all attacks may be only static - wait until internal host open TCP to somewhere. And this kind of attack may be at least investigated and compromised external host may be found. I am not NAT defender but I recognize how IS dept thinks. I prefer a mixed solution like uniq host system ID + some controllable route address. - Leonid Yegoshin, LY22
Re: NAT-IPv6
From: Greg Hudson [EMAIL PROTECTED] But anybody clear understand that if your internal hosts do not have a public address then all attacks may be only static - wait until internal host open TCP to somewhere. This is a naive understanding. Source-routing would let me get packets through to an internal address unless your NAT also acts as a firewall. Why isn't it also naive to assume that vulnerable applications on hosts inside will honor IP source routes on the return path? See for example, current BSD source for telnetd and rlogind. Vernon Schryver[EMAIL PROTECTED]
Re: NAT-IPv6
It's also completely naive that source routing is your only threat. One can break into a NAT. One can forge packets and address them appropriately. Firewalls prevent this, not NATs.
Re: NAT-IPv6
From: "Eliot Lear" [EMAIL PROTECTED] It's also completely naive that source routing is your only threat. One can break into a NAT. One can forge packets and address them appropriately. Firewalls prevent this, not NATs. That statement is just as naive, unless you qualify the word "firewalls," and I'm not talking about accidents. For example, what is a "router firewall" except a lame NAT box? It includes typical NAT filtering rules and has NAT rewriting consisting of the identity map. A NAT box is like many routers sold as firewalls, except that it does better filtering in its default configuration than a router firewall, and has more than just the identity map for rewriting addresses and payloads. You can't even say that pure application-layer or host-based firewalls are always more secure than NAT boxes, because many host systems used for such firewalls are happy to forward IP packets (although IP forwarding is less likely to be on by default today). I'm objecting to superstition cloaked as engineering, including - "NAT boxes provide security", - "firewalls provide security but NAT boxes don't", and my hot button, - "IP source routes are security threats." Vernon Schryver[EMAIL PROTECTED]
Re: NAT-IPv6
From: Greg Hudson [EMAIL PROTECTED] But anybody clear understand that if your internal hosts do not have a public address then all attacks may be only static - wait until internal host open TCP to somewhere. This is a naive understanding. Source-routing would let me get packets through to an internal address unless your NAT also acts as a firewall. Let's try. Today most of hosts have "IP-forwarding" switch off. Because security reason. (Granted, I think it turns out that pretty much all NATs do this kind of firewalling in all cases. But there's no reason why a firewall allowing only outgoing connections should be any more error-prone than a NAT gateway.) Greg, how you determine outgoing RTP connection like VoIP, for exam ? UDP often has not clear "open" packet and difficult to control in classic firewall. Fortunately VoIP may have H.323 or SIP negotiation first but do you sure about another protocols ? - Leonid Yegoshin, LY22
Re: NAT-IPv6
From: Matt Holdrege [EMAIL PROTECTED] The basic key *architectural* problem with NAT ... is that when you have a small number of external addresses being shared by a larger number of hosts behind some sort of "address-sharing" device, there's no permanent association between an address and a host. It's *that* that causes many of the worst problems - problems for which there *is* no good work-around (because the problem is fundamental in nature). ... if you have a site which has more hosts than it can get external IPv4 addresses for .. *deploying IPv6 internally to the site does the site basically no good at all*. we've been through all this already ... at the IAB Network Layer Workshop. One of the conclusions is that an IPv6 network NAT'ed to the IPv4 Internet isn't any better than what we have today with IPv4-NAT-IPv4 Well, my statement is broader than that. It says that *any* IPv6-IPv4 interoperability mechanism is going to have the same fundamental problems as IPv4-IPv4 NAT. I think that's a pretty powerful statement, one that puts a hard ceiling on what one can hope to accomplish (in any moderate timeframe) with *any* alternative to IPv4-IPv4 NAT (including IPv4 RSIP). So if you are NAT'd to the public Internet today, you shouldn't have a problem with converting internally to IPv6. At least from an architectural sense. :) Sure, you're going to have basically the same service externally, if you are using IPv6 internally, as you are if you are using IPv4 internally. So, you're the CIO for Foondoggle Corp, and you're trying to figure out whether to spend any of your Q3 funds on IPv6 conversion. Let's see, benefits are not very many (autoconfig may be the best one), and the cost is substantial. OK, let's put it off till the next quarter. Go back to step 1. Noel
Re: NAT-IPv6
Hello Matt, I probably shouldn't tread into these waters, but... Now, if you have a site which has more hosts than it can get external IPv4 addresses for, then as long as there are considerable numbers of IPv4 hosts a site needs to interoperate with, *deploying IPv6 internally to the site does the site basically no good at all*. I think we've been through all this already and we explored it deeply at the IAB Network Layer Workshop. One of the conclusions is that an IPv6 network NAT'ed to the IPv4 Internet isn't any better than what we have today with IPv4-NAT-IPv4, yet it will allow the given network to move to IPv6 in hopes of someday connecting to other IPv6 networks without using NAT. The last sentence isn't internally self-consistent. NATting from IPv6 to IPv4 creates the potential that you mention, and that is a benefit. SO, it _is_ better. If we get to a model where large new domains use IPv6 addressing with NAT to global IPv4 address space, that would be quite useful. Before too long, services will appear on the IPv6 network that can't get the IPv4 global addresses they need. IPv6 clients will work at least as well as privately-addressed IPv4 clients, so that there is no downside to going IPv6. As this happens more and more, the IPv6 domains will begin to dominate and interconnect efficiently. Since the Internet continues to grow rapidly, today's dominant deployment may well be tomorrow's sad legacy. Or not, depending on who knows what? So if you are NAT'd to the public Internet today, you shouldn't have a problem with converting internally to IPv6. At least from an architectural sense. :) Indeed. And, to re-use an old bit of wisdom: "You're either part of the problem, or part of the solution". Regards, Charlie P.
Re: NAT-IPv6
From: "Charles E. Perkins" [EMAIL PROTECTED] If we get to a model where large new domains use IPv6 addressing with NAT to global IPv4 address space, that would be quite useful. Before too long, services will appear on the IPv6 network that can't get the IPv4 global addresses they need. I asked my friends who manages corporate network - "how long" ? He answered - "why ? I have 3 big outside servers and 1000 desktops. I need only 5 not NATted Internet addresses and 128 NATted... And NAT is very power security firewall for me - I don't need to keep eye on desktops!" - Leonid Yegoshin, LY22
Re: NAT-IPv6
It is a complete fallacy that NAT provides any sort of security. It does no such thing. Security is provide by a firewall, and (more importantly) by strong security policies that are policed and enforced. - Original Message - From: Leonid Yegoshin [EMAIL PROTECTED] Newsgroups: cisco.external.ietf Sent: Tuesday, April 25, 2000 10:11 PM Subject: Re: NAT-IPv6 From: John Stracke [EMAIL PROTECTED] "J. Noel Chiappa" wrote: So, you're the CIO for Foondoggle Corp, and you're trying to figure out whether to spend any of your Q3 funds on IPv6 conversion. Let's see, benefits are not very many (autoconfig may be the best one), and the cost is substantial. Sure. Then you buy out Moondoggle Corp, which used some of the same private IP numbers you did, and you're faced with having to renumber everything. While you're at it, you decide to convert both networks to v6 so it'll be easier next time. (Yes, I know you could put a NAT between the two former companies; but it'll *hurt*.) Once in company where I worked somebody brought a virus and it crashed a lot of Windows host. I don't remember details about it's fast propogation but I remember how terrific IS staff wanted to put firewalls/NATs between each floor ! They considered it as the only warranty and _asked_ money for that. - Leonid Yegoshin, LY22