Re: Security gain from NAT: Top 5

[Brandon Butterworth]

> >   #1 NAT advantage: it protects consumers from vendor
> >   lock-in.
> >
> Speaking of FUD...  NAT does nothing here that is not also accomplished
> through the use of PI addressing.

True, diy PI (mmm, PI) is a major reason people use it for v4 and why
they'll want something similar for v6. No internal renumbering,
ever. I can see why they choose it, even with the disadvantages

PI for everyone?

brandon

Re: Security gain from NAT: Top 5

[Owen DeLong]

  #1 NAT advantage: it protects consumers from vendor
  lock-in.


Speaking of FUD...  NAT does nothing here that is not also accomplished
through the use of PI addressing.


  #2  NAT advantage: it protects consumers from add-on
  fees for addresses space.


More FUD.  The correct solution to this problem is to make it possible
for end users to get reasonable addresses directly from RIRs for
reasonable fees.


  #3  NAT advantage: it prevents upstreams from limiting
  consumers' internal address space.


Regardless of the amount of growth, do you really see the likelihood
of any household _EVER_ needing more than 65,536 subnets?
I don't even know the exact result of multiplying out 16*1024^6, but,
I'm betting you can't fill 65,536 subnets that big ever no matter how
hard you try.  So, again, I say FUD.


  #4  NAT advantage: it requires new protocols to adhere to
  the ISO seven layer model.


Quite the contrary... NAT has encouraged the development of hack upon
hack to accommodate these protocols.  Please explain to me how you
would engineer a call setup-tear-down protocol for an independent
audio stream that didn't require you to embed addresses in the payload.
Until you can solve this problem, we will have to have protocols that
break this model.  Other than from some sort of ISO purity model
(notice how popular OSI networking is today, compared to IP?), SIP
is actually a pretty clean solution to a surprisingly hard problem.
Unless you have a better alternative for the same capabilities, I'm
not buying it.  We shouldn't have to give up useful features for
architectural purity.  If the architecture can't accommodate real world
requirements, it is not the requirements that are broken.

That's sort of like saying that OSPF and BGP break the ISO layer model
because they talk about layer three addresses in layer 4-7 payload.
Heck, even ISIS is broken by that definition.  Again, I cry FUD.


  #5  NAT advantage: it does not require replacement security
  measures to protect against netscans, portscans, broadcasts
  (particularly microsoft's netbios), and other malicious
  inbound traffic.


??? This is pure FUD and patently untrue.  Example:  About the cheapest
NAT capable firewall you can buy is a Linksys WRT-54G.  If you put
real addresses on both sides of it and change a single checkbox in the
configuration GUI, you end up with a Stateful Inspection firewall that
gives you all the same security you had with the NAT, but, without the
penalties imposed by NAT.

Until you can show me a box that is more than USD 40 cheaper than
a WRT-54G that cannot have NAT turned off, again, I cry FUD.
Oh, btw, a WRT-54G sells for about USD 40 last time I bought one
brand new at Best Buy, so, that's a pretty hard metric to meet.


These are just some of the reasons why NAT is, and will continue to
be, an increasingly popular technology for much more than address
conservation.

Since each and every one of them is FUD, that is certainly the pot  
calling

the kettle black.  Unfortunately, time and again, american politics has
proven that FUD is a successful marketing tactic, so, you are probably
right, there will probably be a sufficient critical mass of ignorant  
consumers

and vendors that will buy into said FUD and avoid the real solution
in favor of continuing the abomination that is NAT and all the baggage
of STUN, difficult debugging, header mangling, address conflicts,
and the rest that tends to come with it.

Owen



smime.p7s
Description: S/MIME cryptographic signature

Re: Security gain from NAT: Top 5

[Matthew Palmer]

On Wed, Jun 06, 2007 at 08:49:21PM -0700, Roger Marquis wrote:
> Problem is that NAT will not go away or even become less common in
> IPv6 networks for a number of reasons.
> 
>   #1 NAT advantage: it protects consumers from vendor
>   lock-in.
> 
> Consider the advantage of globally unique public addressing to ISPs
> and telcos.  Without NAT they have a very effective vendor lock-in.
> Want to change ISPs?  It's only as easy as reconfiguring every device
> and/or DHCP server on your internal network.  With NAT you only need
> to reconfigure a single device, sometimes not even that.

Isn't this the problem that router advertisements are meant to solve?  Do
you have operational experience which suggests that they aren't a sufficient
solution?

>   #2  NAT advantage: it protects consumers from add-on
>   fees for addresses space.
> 
> Given the 100 to 10,000% mark-ups many telcos and ISPs already charge
> for more than a /29 it should come as no surprise they would be
> opposed to NAT.

I was under the impression that each end-user of an IPv6 ISP got a /64
assigned to them when they connected.

>   #3  NAT advantage: it prevents upstreams from limiting
>   consumers' internal address space.
> 
> Even after full implementation of IPv6 the trend of technology will
> continue to require more address space.  Businesses will continue to
> grow and households will continue to acquire new IP-enabled devices.
> Without NAT consumers will be forced to request new netblocks from
> their upstream, often resulting in non-contiguous networks. Not
> surprisingly, often incurring additional fees as well.

By my calculations, the /64 of address space given to each connection will
provide about 18446744073709551616 addresses.  Is that an insufficient
quantity for the average user of an ISP?

>   #4  NAT advantage: it requires new protocols to adhere to
>   the ISO seven layer model.
> 
> H.323, SIP and other badly designed protocols imbed the local address
> in the data portion of IP packets.  This trend is somewhat discouraged
> by the layer-isolation requirements of NAT.

NAT doesn't seem to have stopped the designers of these protocols from
actually deploying their designs, though.

>   #5  NAT advantage: it does not require replacement security
>   measures to protect against netscans, portscans, broadcasts
>   (particularly microsoft's netbios), and other malicious
>   inbound traffic.
> 
> The vendors of non-NAT devices would love to have you believe that
> their stateful inspection and filtering is a good substitute for the
> inspection and filtering required by NAT devices. Problem is the
> non-NAT devices all cost more, many are less secure in their default
> configurations, and the larger rulesets they are almost always
> configured with are less security than the equivalent NAT device.

Haven't we already had this thread killed by the mailing list team today?

- Matt

-- 
If only more employers realized that people join companies, but leave
bosses. A boss should be an insulator, not a conductor or an amplifier.
-- Geoff Kinnel, in the Monastery

Re: Security gain from NAT: Top 5

[Roger Marquis]

Mark Smith wrote:

For all those people who think IPv4 NAT is quite fine, I
challenge them to submit RFCs to the IETF that resolve, without
creating worse or more even more complicated problems, the list
of problems here. All the IPv6 RFCs do ...



These RFCs clearly have an agenda: selling IPv6.  It is unfortunate
they don't feel it necessary to make a balanced presentation of the
pros and cons but instead appear to believe that spreading FUD about
NAT is an effective method of promoting IPv6.

Problem is that NAT will not go away or even become less common in
IPv6 networks for a number of reasons.

  #1 NAT advantage: it protects consumers from vendor
  lock-in.

Consider the advantage of globally unique public addressing to ISPs
and telcos.  Without NAT they have a very effective vendor lock-in.
Want to change ISPs?  It's only as easy as reconfiguring every device
and/or DHCP server on your internal network.  With NAT you only need
to reconfigure a single device, sometimes not even that.

  #2  NAT advantage: it protects consumers from add-on
  fees for addresses space.

Given the 100 to 10,000% mark-ups many telcos and ISPs already charge
for more than a /29 it should come as no surprise they would be
opposed to NAT.

  #3  NAT advantage: it prevents upstreams from limiting
  consumers' internal address space.

Even after full implementation of IPv6 the trend of technology will
continue to require more address space.  Businesses will continue to
grow and households will continue to acquire new IP-enabled devices.
Without NAT consumers will be forced to request new netblocks from
their upstream, often resulting in non-contiguous networks. Not
surprisingly, often incurring additional fees as well.

Follow the money and you'll end up with these three reasons why the
technical arguments being made against NAT in opinion pieces like
Keith Moore's (URL above) are so one sided and overtly biased.  But
there are still more reasons NAT will continue to increase in
popularity regardless of IPv6.

  #4  NAT advantage: it requires new protocols to adhere to
  the ISO seven layer model.

H.323, SIP and other badly designed protocols imbed the local address
in the data portion of IP packets.  This trend is somewhat discouraged
by the layer-isolation requirements of NAT.

  #5  NAT advantage: it does not require replacement security
  measures to protect against netscans, portscans, broadcasts
  (particularly microsoft's netbios), and other malicious
  inbound traffic.

The vendors of non-NAT devices would love to have you believe that
their stateful inspection and filtering is a good substitute for the
inspection and filtering required by NAT devices. Problem is the
non-NAT devices all cost more, many are less secure in their default
configurations, and the larger rulesets they are almost always
configured with are less security than the equivalent NAT device.

These are just some of the reasons why NAT is, and will continue to
be, an increasingly popular technology for much more than address
conservation.

--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/

Dead Thread (Re: Security gain from NAT)

[alex]

I think at this point, everything that could possibly be said about NAT
and security has been said.

Unless you have something profound to add which hasn't been mentioned in
this thread before, please refrain from adding to this thread.

-Alex (for the mailing list team)

Re: Security gain from NAT

[Mark Smith]

On Wed, 6 Jun 2007 09:45:01 -0700
David Conrad <[EMAIL PROTECTED]> wrote:

> 
> On Jun 6, 2007, at 8:59 AM, Stephen Sprunk wrote:
> > The thing is, with IPv6 there's no need to do NAT.
> 
> Changing providers without renumbering your entire infrastructure.
> 
> Multi-homing without having to know or participate in BGP games.
> 
> (yes, the current PI-for-everybody allocation mindset would address  
> the first, however I have to admit I find the idea of every small  
> enterprise on the planet playing BGP games a bit ... disconcerting)
> 
> > However, NAT in v6 is not necessary, and it's still evil.
> 
> Even ignoring the two above, NAT will be a fact of life as long as  
> people who are only able to obtain IPv6 addresses and need/want to  
> communicate with the (overwhelmingly IPv4 for the foreseeable future)  
> Internet.  Might as well get used to it.  I for one welcome our new  
> NAT overlords...
>

For all those people who think IPv4 NAT is quite fine, I challenge them
to submit RFCs to the IETF that resolve, without creating worse
or more even more complicated problems, the list of problems here. All
the IPv6 RFCs do ... :

http://www.cs.utk.edu/~moore/what-nats-break.html

I've spent a number of years wondering why people seem to like NAT
(don't bother trying to convince me, my burnt stubs of fingers have
convinced me it's evil), and the only feasible conclusion I can come to
is that it is a chance to live out the "invisible man" fantasy they had
in their childhood. We've all had that fantasy I think, and we'd all
like to live it out ...

In IPv6, if you want to have a globally reachable service, you bind it
to a global address, and you protect the rest of the services/layer 4
protocol endpoints on that host that use global addresses via an SI
firewall, preferably on the host itself.

If you don't want to have a service globally reachable, then you don't
bind it to a global address - bind the service only to the to the ULA
addresses on the host. Then it'll be globally unreachable regardless of
whether there is a SI firewall active or not (although if people start
convincing upstreams and peers to accept their ULA routes external to
their own private network ... well, they made that choice, they'll have
to live with the security consequences)



-- 

"Sheep are slow and tasty, and therefore must remain constantly
 alert."
   - Bruce Schneier, "Beyond Fear"

Re: Security gain from NAT

[David Conrad]

On Jun 6, 2007, at 8:59 AM, Stephen Sprunk wrote:

The thing is, with IPv6 there's no need to do NAT.


Changing providers without renumbering your entire infrastructure.

Multi-homing without having to know or participate in BGP games.

(yes, the current PI-for-everybody allocation mindset would address  
the first, however I have to admit I find the idea of every small  
enterprise on the planet playing BGP games a bit ... disconcerting)



However, NAT in v6 is not necessary, and it's still evil.


Even ignoring the two above, NAT will be a fact of life as long as  
people who are only able to obtain IPv6 addresses and need/want to  
communicate with the (overwhelmingly IPv4 for the foreseeable future)  
Internet.  Might as well get used to it.  I for one welcome our new  
NAT overlords...


Rgds,
-drc
 

Re: Security gain from NAT

[Stephen Sprunk]

Thus spake "Roger Marquis" <[EMAIL PROTECTED]>

I, for one, give up. No matter what you say I will never
implement NAT, and you may or may not implement it if people
make boxes that support it.


Most of the rest of us will continue to listen to both sides and
continue to prefer NAT, in no small part because of the absurd
examples and inconsistent terminology NATophobes seem to feel is
necessary to make their case.


The thing is, with IPv6 there's no need to do NAT.  What vendors have (so 
far) failed to deliver is a consumer-grade firewall that does SI with the 
same rules on by default that v4 NAT devices have.  Throw in DHCP PD and 
addressing (and renumbering) are automatic.  This is simpler than NAT 
because no "fixup" is required; a v6 firewall with SI and public addresses 
on both sides just needs to inspect packets, not modify them.


The same device will probably be a v4 NAT device; nobody is trying to take 
that away because it's a necessary evil.  However, NAT in v6 is not 
necessary, and it's still evil.


S

Stephen Sprunk  "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov

[Fwd: Last Call: draft-hutzler-spamops (Email Submission: Access and Accountability) to BCP]

[Dave Crocker]

(Apologies if you receive this more than once.  I am sending it to each list
that is relevant to the topic, in order to make sure the community is aware of
the opportunity and need for comment.  /d)


Folks,

The enclosed announcement is solicits comments on "Email Submission:
Access and Accountability" a modest BCP for basic guidance about an aspect of
email service.  (Pretty versions of the document are available at
.)

The IESG needs to hear comments about the utility of this document, with
respect to the operational guidance it provides.

Please consider posting comments, as suggested in the enclosed note, noting
concrete benefits and/or concerns you see for this document.  (By being
concrete, you show that you have read the document and understand it; that
way, the IESG can know that you are offering an informed opinion...)

Thanks.

d/

 Original Message 
Subject: Last Call: draft-hutzler-spamops (Email Submission: Access and
Accountability) to BCP
Date: Wed, 06 Jun 2007 10:32:13 -0400
From: The IESG <[EMAIL PROTECTED]>

The IESG has received a request from an individual submitter to consider
the following document:

- 'Email Submission: Access and Accountability '
as a BCP

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send substantive comments to the
[EMAIL PROTECTED] mailing lists by 2007-06-20. Exceptionally,
comments may be sent to [EMAIL PROTECTED] instead. In either case, please
retain the beginning of the Subject line to allow automated sorting.

Note that this is a second run of the Last Call. The first Last Call
happened in 2005, and the current version tried to address all the
comments received then. Taking into account the amount of time since the
first Last Call the Area Director and the editors decided to run again a
two weeks Last Call.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-hutzler-spamops-07.txt



--

  Dave Crocker
  Brandenburg InternetWorking
  bbiw.net

Re: Security gain from NAT

[Nathan Ward]

On 6/06/2007, at 2:53 PM, Roger Marquis wrote:




So now the cruft extends and embraces, and you have to play DNS
view games based on whether it's on company A's legacy net,
company B's legacy net, or the DMZ in between them, and start
poking around in the middle of DNS packets to tweak the replies
(which sort of guarantees you can't deploy DNSSEC).





You clearly missed the start of this conversation, and my summaries  
in the last couple of days, about which I am not surprised.


We were discussing IPv6, the lack of NAT was brought up as being  
viewed as a blocker for security reasons, and solutions were  
presented so that it no longer is, assuming adequate education is  
provided.


--
Nathan Ward

Re: Security gain from NAT

[Bill Stewart]

On 6/5/07, Roger Marquis <[EMAIL PROTECTED]> wrote:

Are you proposing that every company use publicly routable address
space?  How about the ones that don't qualify for a /19 and so are
dependent on addresses owned by their upstream?


This discussion evolved from an IPv6 discussion, so there's plenty of
address space for everybody in the assumptions, and you can have a /48
even if a /64 is overkill.


To change ISPs for example, would it be simpler to change the IP
address of every node in the company or to run NAT on the gateways?


Unlike the security discussions, that's one area where NAT really does
make life easier for medium-large companies (either 1-1 NAT or PNAT
will do.)  It lets you number your internal space as 10/8, regardless
of what ISP or ISPs you're using externally, so if you have to change
one of your ISPs, you don't have to renumber anything except possibly
a couple of externally-visible servers and gateways.
Of course, that only remains true until some merger or acquisition
mashes your 10/8 address space into another company's 10/8 address
space , at which point you've still got work to do unless you were
both careful about taking random subnets of 10/8, e.g. 10.x/16 for
randomly selected x>10.


Thanks; Bill

Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.