Re: Security gain from NAT: Top 5

2007-06-28 Thread Jo Rhett 


On Jun 26, 2007, at 7:44 PM, Jeff Woolsey wrote:
Things sure are different now, aren't they?   I remember having a  
whole

class C from you guys for my half-dozen machines at home... That was a
while ago...


Not from me/us, and not since ARIN existed or cared about usage ;-)

Meer.net before it started operating a colocation company was a just- 
for-friends ISP business and they were given tons of IP space from  
their providers back in the mid-1990s and shared it around.  What you  
have is Verio-assigned space.


The colocation division came into being after ARIN existed and has  
always used strict allocation guidelines.


--
Jo Rhett
senior geek

Silicon Valley Colocation
Support Phone: 408-400-0550

Re: Security gain from NAT: Top 5

2007-06-26 Thread Jo Rhett 


On Jun 6, 2007, at 9:43 PM, Owen DeLong wrote:

  #1 NAT advantage: it protects consumers from vendor
  lock-in.

Speaking of FUD...  NAT does nothing here that is not also  
accomplished

through the use of PI addressing


If you completely ignore the cost of routing table growth to give  
every company their own PI, sure.



  #2  NAT advantage: it protects consumers from add-on
  fees for addresses space.


More FUD.  The correct solution to this problem is to make it possible
for end users to get reasonable addresses directly from RIRs for
reasonable fees.


Reasonable is a hard word.  We've had to turn away customers who  
wanted to assign a /27 to each and every machine, without actual  
justification for more than 3 IPs per machine.  Sometimes people want  
to do insane things that aren't technically reasonable, but it's what  
they want to do.  NAT gives them that option.


--
Jo Rhett
senior geek

Silicon Valley Colocation
Support Phone: 408-400-0550

Re: Security gain from NAT: Top 5

2007-06-07 Thread Joe Abley 



On 7-Jun-2007, at 02:48, Brandon Butterworth wrote:




  #1 NAT advantage: it protects consumers from vendor
  lock-in.

Speaking of FUD...  NAT does nothing here that is not also  
accomplished

through the use of PI addressing.


True, diy PI (mmm, PI) is a major reason people use it for v4 and why
they'll want something similar for v6. No internal renumbering,
ever. I can see why they choose it, even with the disadvantages

PI for everyone?


LISP! :-)

Re: Security gain from NAT: Top 5

2007-06-06 Thread Brandon Butterworth 

> >   #1 NAT advantage: it protects consumers from vendor
> >   lock-in.
> >
> Speaking of FUD...  NAT does nothing here that is not also accomplished
> through the use of PI addressing.

True, diy PI (mmm, PI) is a major reason people use it for v4 and why
they'll want something similar for v6. No internal renumbering,
ever. I can see why they choose it, even with the disadvantages

PI for everyone?

brandon

Re: Security gain from NAT: Top 5

2007-06-06 Thread Owen DeLong 

  #1 NAT advantage: it protects consumers from vendor
  lock-in.


Speaking of FUD...  NAT does nothing here that is not also accomplished
through the use of PI addressing.


  #2  NAT advantage: it protects consumers from add-on
  fees for addresses space.


More FUD.  The correct solution to this problem is to make it possible
for end users to get reasonable addresses directly from RIRs for
reasonable fees.


  #3  NAT advantage: it prevents upstreams from limiting
  consumers' internal address space.


Regardless of the amount of growth, do you really see the likelihood
of any household _EVER_ needing more than 65,536 subnets?
I don't even know the exact result of multiplying out 16*1024^6, but,
I'm betting you can't fill 65,536 subnets that big ever no matter how
hard you try.  So, again, I say FUD.


  #4  NAT advantage: it requires new protocols to adhere to
  the ISO seven layer model.


Quite the contrary... NAT has encouraged the development of hack upon
hack to accommodate these protocols.  Please explain to me how you
would engineer a call setup-tear-down protocol for an independent
audio stream that didn't require you to embed addresses in the payload.
Until you can solve this problem, we will have to have protocols that
break this model.  Other than from some sort of ISO purity model
(notice how popular OSI networking is today, compared to IP?), SIP
is actually a pretty clean solution to a surprisingly hard problem.
Unless you have a better alternative for the same capabilities, I'm
not buying it.  We shouldn't have to give up useful features for
architectural purity.  If the architecture can't accommodate real world
requirements, it is not the requirements that are broken.

That's sort of like saying that OSPF and BGP break the ISO layer model
because they talk about layer three addresses in layer 4-7 payload.
Heck, even ISIS is broken by that definition.  Again, I cry FUD.


  #5  NAT advantage: it does not require replacement security
  measures to protect against netscans, portscans, broadcasts
  (particularly microsoft's netbios), and other malicious
  inbound traffic.


??? This is pure FUD and patently untrue.  Example:  About the cheapest
NAT capable firewall you can buy is a Linksys WRT-54G.  If you put
real addresses on both sides of it and change a single checkbox in the
configuration GUI, you end up with a Stateful Inspection firewall that
gives you all the same security you had with the NAT, but, without the
penalties imposed by NAT.

Until you can show me a box that is more than USD 40 cheaper than
a WRT-54G that cannot have NAT turned off, again, I cry FUD.
Oh, btw, a WRT-54G sells for about USD 40 last time I bought one
brand new at Best Buy, so, that's a pretty hard metric to meet.


These are just some of the reasons why NAT is, and will continue to
be, an increasingly popular technology for much more than address
conservation.

Since each and every one of them is FUD, that is certainly the pot  
calling

the kettle black.  Unfortunately, time and again, american politics has
proven that FUD is a successful marketing tactic, so, you are probably
right, there will probably be a sufficient critical mass of ignorant  
consumers

and vendors that will buy into said FUD and avoid the real solution
in favor of continuing the abomination that is NAT and all the baggage
of STUN, difficult debugging, header mangling, address conflicts,
and the rest that tends to come with it.

Owen



smime.p7s
Description: S/MIME cryptographic signature

Re: Security gain from NAT: Top 5

2007-06-06 Thread Matthew Palmer 

On Wed, Jun 06, 2007 at 08:49:21PM -0700, Roger Marquis wrote:
> Problem is that NAT will not go away or even become less common in
> IPv6 networks for a number of reasons.
> 
>   #1 NAT advantage: it protects consumers from vendor
>   lock-in.
> 
> Consider the advantage of globally unique public addressing to ISPs
> and telcos.  Without NAT they have a very effective vendor lock-in.
> Want to change ISPs?  It's only as easy as reconfiguring every device
> and/or DHCP server on your internal network.  With NAT you only need
> to reconfigure a single device, sometimes not even that.

Isn't this the problem that router advertisements are meant to solve?  Do
you have operational experience which suggests that they aren't a sufficient
solution?

>   #2  NAT advantage: it protects consumers from add-on
>   fees for addresses space.
> 
> Given the 100 to 10,000% mark-ups many telcos and ISPs already charge
> for more than a /29 it should come as no surprise they would be
> opposed to NAT.

I was under the impression that each end-user of an IPv6 ISP got a /64
assigned to them when they connected.

>   #3  NAT advantage: it prevents upstreams from limiting
>   consumers' internal address space.
> 
> Even after full implementation of IPv6 the trend of technology will
> continue to require more address space.  Businesses will continue to
> grow and households will continue to acquire new IP-enabled devices.
> Without NAT consumers will be forced to request new netblocks from
> their upstream, often resulting in non-contiguous networks. Not
> surprisingly, often incurring additional fees as well.

By my calculations, the /64 of address space given to each connection will
provide about 18446744073709551616 addresses.  Is that an insufficient
quantity for the average user of an ISP?

>   #4  NAT advantage: it requires new protocols to adhere to
>   the ISO seven layer model.
> 
> H.323, SIP and other badly designed protocols imbed the local address
> in the data portion of IP packets.  This trend is somewhat discouraged
> by the layer-isolation requirements of NAT.

NAT doesn't seem to have stopped the designers of these protocols from
actually deploying their designs, though.

>   #5  NAT advantage: it does not require replacement security
>   measures to protect against netscans, portscans, broadcasts
>   (particularly microsoft's netbios), and other malicious
>   inbound traffic.
> 
> The vendors of non-NAT devices would love to have you believe that
> their stateful inspection and filtering is a good substitute for the
> inspection and filtering required by NAT devices. Problem is the
> non-NAT devices all cost more, many are less secure in their default
> configurations, and the larger rulesets they are almost always
> configured with are less security than the equivalent NAT device.

Haven't we already had this thread killed by the mailing list team today?

- Matt

-- 
If only more employers realized that people join companies, but leave
bosses. A boss should be an insulator, not a conductor or an amplifier.
-- Geoff Kinnel, in the Monastery

Re: Security gain from NAT: Top 5

2007-06-06 Thread Roger Marquis 


Mark Smith wrote:

For all those people who think IPv4 NAT is quite fine, I
challenge them to submit RFCs to the IETF that resolve, without
creating worse or more even more complicated problems, the list
of problems here. All the IPv6 RFCs do ...



These RFCs clearly have an agenda: selling IPv6.  It is unfortunate
they don't feel it necessary to make a balanced presentation of the
pros and cons but instead appear to believe that spreading FUD about
NAT is an effective method of promoting IPv6.

Problem is that NAT will not go away or even become less common in
IPv6 networks for a number of reasons.

  #1 NAT advantage: it protects consumers from vendor
  lock-in.

Consider the advantage of globally unique public addressing to ISPs
and telcos.  Without NAT they have a very effective vendor lock-in.
Want to change ISPs?  It's only as easy as reconfiguring every device
and/or DHCP server on your internal network.  With NAT you only need
to reconfigure a single device, sometimes not even that.

  #2  NAT advantage: it protects consumers from add-on
  fees for addresses space.

Given the 100 to 10,000% mark-ups many telcos and ISPs already charge
for more than a /29 it should come as no surprise they would be
opposed to NAT.

  #3  NAT advantage: it prevents upstreams from limiting
  consumers' internal address space.

Even after full implementation of IPv6 the trend of technology will
continue to require more address space.  Businesses will continue to
grow and households will continue to acquire new IP-enabled devices.
Without NAT consumers will be forced to request new netblocks from
their upstream, often resulting in non-contiguous networks. Not
surprisingly, often incurring additional fees as well.

Follow the money and you'll end up with these three reasons why the
technical arguments being made against NAT in opinion pieces like
Keith Moore's (URL above) are so one sided and overtly biased.  But
there are still more reasons NAT will continue to increase in
popularity regardless of IPv6.

  #4  NAT advantage: it requires new protocols to adhere to
  the ISO seven layer model.

H.323, SIP and other badly designed protocols imbed the local address
in the data portion of IP packets.  This trend is somewhat discouraged
by the layer-isolation requirements of NAT.

  #5  NAT advantage: it does not require replacement security
  measures to protect against netscans, portscans, broadcasts
  (particularly microsoft's netbios), and other malicious
  inbound traffic.

The vendors of non-NAT devices would love to have you believe that
their stateful inspection and filtering is a good substitute for the
inspection and filtering required by NAT devices. Problem is the
non-NAT devices all cost more, many are less secure in their default
configurations, and the larger rulesets they are almost always
configured with are less security than the equivalent NAT device.

These are just some of the reasons why NAT is, and will continue to
be, an increasingly popular technology for much more than address
conservation.

--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/