On Mon, Feb 19, 2024 at 6:02 AM Howard, Lee
wrote:
> Most NATs I've seen in the last 10-15 years are "full cone" NATs: they are
> configured so that once there is an
> outbound flow, and inbound datagram to that address+port will be forwarded to
> the inside address, regardless
> of source.
Hi
On Mon, Feb 19, 2024 at 5:29 AM Howard, Lee via NANOG wrote:
> In the U.S., the largest operators without IPv6 are (in order by size):
> Lumen (CenturyLink)
CenturyLink has IPv6 using 6rd. It works fine.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
Bottom-posted with old school formatting by hand.
-Original Message-
From: NANOG On Behalf
Of William Herrin
Sent: Friday, February 16, 2024 8:05 PM
To: Michael Thomas
Cc: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)
> On the firewall, I program it to do
To: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)
[You don't often get email from m...@mtcc.com. Learn why this is important at
https://aka.ms/LearnAboutSenderIdentification ]
This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links
and attachments
On Sun, 18 Feb 2024, 05:29 Owen DeLong via NANOG, wrote:
> Most firewalls are default deny. Routers are default allow unless you put
> a filter on the interface.
>
This is not relevant though. NAT when doing port overloading, as is the
case for most CPE, is not default-deny or default-allow.
On 2/18/24 8:47 AM, Greg Skinner via NANOG wrote:
On Feb 17, 2024, at 11:27 AM, William Herrin wrote:
On Sat, Feb 17, 2024 at 10:34?AM Michael Thomas wrote:
Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
NAT.
And mine too, since I hadn't heard of "Firewalls and
On 2/17/24 11:27 AM, William Herrin wrote:
On Sat, Feb 17, 2024 at 10:34 AM Michael Thomas wrote:
I didn't hear about NAT until the
late 90's, iirc. I've definitely not heard of Gauntlet.
Then there are gaps in your knowledge.
Funny, I don't recall Bellovin and Cheswick's Firewall book
On Feb 17, 2024, at 11:27 AM, William Herrin wrote:
>
> On Sat, Feb 17, 2024 at 10:34?AM Michael Thomas wrote:
>
>> Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
>> NAT.
>
> And mine too, since I hadn't heard of "Firewalls and Internet
> Security: Repelling the Wily
Concerning the firewall book.
Firewalls and Internet Security, Second Edition
PDF online at
https://www.wilyhacker.com/fw2e.pdf
"Some people think that NAT boxes are a form of
firewall. In some sense, they are, but they're low-end ones."
On 17/02/2024, 19:27:20, "William Herrin" wrote:
So it does not surprise me that a 1994 book on network security would
not have discussed NAT. They'd have referred to the comparable
contemporary technology, which was "transparent application layer
gateways." Those behaved like what we now call
On Sat, Feb 17, 2024 at 10:34 AM Michael Thomas wrote:
> I didn't hear about NAT until the
> late 90's, iirc. I've definitely not heard of Gauntlet.
Then there are gaps in your knowledge.
> Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
> NAT.
And mine too, since I
On Sat, Feb 17, 2024 at 10:22 AM Justin Streiner wrote:
> Getting back to the recently revised topic of this thread - IPv6
> uptake - what have peoples' experiences been related to
> crafting sane v6 firewall rulesets in recent products from the
> major firewall players (Palo Alto, Cisco,
I can’t speak to Cisco as I don’t have recent experience there. Juniper, Linux, Palo Alto, and most others I’ve dealt with in the last 5 years pose no significant difference in writing policy for IPv6 vs. the process for IPv4. OwenOn Feb 17, 2024, at 10:23, Justin Streiner wrote:We went pretty
> Think of it like this: you have a guard, you have a fence and you have
> barbed wire on top of the fence. Can you secure the place without the
> barbed wire? Of course. Can an intruder defeat the barbed wire? Of
> course. Is it more secure -with- the barbed wire? Obviously.
>
NAT is like the
Bill, same scenario, but instead of fat fingering an outbound rule, you fat
finger a port map for inbound connections to a different host and get the
destination address wrong.
Still hacked.
NAT doesn’t prevent fat fingers from getting you hacked, it just changes the
nature of the required
On 2/16/24 6:33 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel wrote:
Depending on where that rule is placed within your ACL, yes that can happen
with *ANY* address family.
Hi Ryan,
Correct. The examples illustrated a difference between a firewall
implementing
Most firewalls are default deny. Routers are default allow unless you put a
filter on the interface.
NAT adds nothing to security (Bill and I agree to disagree on this), but at
best, it complicates the audit trail.
Owen
> On Feb 16, 2024, at 15:19, Jay R. Ashworth wrote:
>
> -
> On Feb 16, 2024, at 14:20, Jay R. Ashworth wrote:
>
> - Original Message -
>> From: "Justin Streiner"
>
>> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>> to accept in the v4 world.
>
> NAT doesn't "equal" security.
>
> But it is certainly a
On Sat, Feb 17, 2024 at 10:03 AM Michael Thomas wrote:
> On 2/16/24 5:37 PM, William Herrin wrote:
> > What is there to address? I already said that NAT's security
> > enhancement comes into play when a -mistake- is made with the network
> > configuration. You want me to say it again? Okay, I've
We went pretty deep into the weeds on NAT in this thread - far deeper than
I expected ;)
Getting back to the recently revised topic of this thread - IPv6 uptake -
what have peoples' experiences been related to crafting sane v6 firewall
rulesets in recent products from the major firewall players
On 2/16/24 5:37 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 5:33 PM Michael Thomas wrote:
So you're not going to address that this is a management plain problem.
Hi Mike,
What is there to address? I already said that NAT's security
enhancement comes into play when a -mistake- is made
>
> Any given layer of security can be breached with expense and effort.
> Breaching every layer of security at the same time is more challenging
> than breaching any particular one of them. The use of NAT adds a layer
> of security to the system that is not otherwise there.
>
>
> Think of it like
4 8:03 PM
To: John R. Levine
Cc: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)
Caution: This is an external email and may be malicious. Please take care when
clicking links or opening attachments.
On Fri, Feb 16, 2024 at 7:41 PM John R. Levine wrote:
> > That it's
On Fri, Feb 16, 2024 at 7:41 PM John R. Levine wrote:
> > That it's possible to implement network security well without using
> > NAT does not contradict the claim that NAT enhances network security.
>
> I think we're each overgeneralizing from our individual expeience.
>
> You can configure a V6
That it's possible to implement network security well without using
NAT does not contradict the claim that NAT enhances network security.
I think we're each overgeneralizing from our individual expeience.
You can configure a V6 firewall to be default closed as easily as you can
configure a
On Fri, Feb 16, 2024 at 7:10 PM John Levine wrote:
> If you configure your firewall wrong, bad things will happen. I have both
> IPv6 and NAT IPv4 on my network here and I haven't found it particularly
> hard to get the config correct for IPv6.
Hi John,
That it's possible to implement network
It appears that William Herrin said:
>Now suppose I have a firewall at 199.33.225.1 with an internal network
>of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch
>that accepts telnet connections with a user/password of admin/admin.
>On the firewall, I program it to do NAT
On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel wrote:
> Depending on where that rule is placed within your ACL, yes that can happen
> with *ANY* address family.
Hi Ryan,
Correct. The examples illustrated a difference between a firewall
implementing address-overloaded NAT and a firewall
24 5:44 PM
To: William Herrin
Cc: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)
Caution: This is an external email and may be malicious. Please take care when
clicking links or opening attachments.
Why is your Internal v6 subnet advertised to the Internet?
> On Feb 16, 202
On Fri, Feb 16, 2024 at 5:45 PM wrote:
> Why is your Internal v6 subnet advertised to the Internet?
Because that was the example network -without- NAT. If I made two
networks -with- NAT, there would be no difference to show.
I make 2602:815:6000::/44 be 199.33.224.0/23, make 2602:815:6001::/64
Why is your Internal v6 subnet advertised to the Internet?
> On Feb 16, 2024, at 8:08 PM, William Herrin wrote:
>
> On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
>> If you know which subnets need to be NAT'd don't you also know which
>> ones shouldn't exposed to incoming connections
On Fri, Feb 16, 2024 at 5:33 PM Michael Thomas wrote:
> So you're not going to address that this is a management plain problem.
Hi Mike,
What is there to address? I already said that NAT's security
enhancement comes into play when a -mistake- is made with the network
configuration. You want me
On 2/16/24 5:30 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 5:22 PM Michael Thomas wrote:
On 2/16/24 5:05 PM, William Herrin wrote:
Now, I make a mistake on my firewall. I insert a rule intended to
allow packets outbound from 2602:815:6001::4 but I fat-finger it and
so it allows them
On Fri, Feb 16, 2024 at 5:22 PM Michael Thomas wrote:
> On 2/16/24 5:05 PM, William Herrin wrote:
> > Now, I make a mistake on my firewall. I insert a rule intended to
> > allow packets outbound from 2602:815:6001::4 but I fat-finger it and
> > so it allows them inbound to that address instead.
On 2/16/24 5:05 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
If you know which subnets need to be NAT'd don't you also know which
ones shouldn't exposed to incoming connections (or conversely, which
should be permitted)? It seems to me that all you're doing
On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
> If you know which subnets need to be NAT'd don't you also know which
> ones shouldn't exposed to incoming connections (or conversely, which
> should be permitted)? It seems to me that all you're doing is moving
> around where that knowledge
> a lot of folks
> making statements about network security on this list don't appear to
> grasp it.
If your network is secure, it isn’t even possible to “accidentally” open
inbound ports in the first place. You either allow it to happen or you don’t
via security policy, anything else means
- Original Message -
> From: "William Herrin"
> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
>> > From: "Justin Streiner"
>> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>> > to accept in the v4 world.
>>
>> NAT doesn't "equal" security.
>>
>>
On 2/16/24 3:01 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
From: "Justin Streiner"
4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.
NAT doesn't "equal" security.
But it is certainly a *component*
On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
> > From: "Justin Streiner"
> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> > to accept in the v4 world.
>
> NAT doesn't "equal" security.
>
> But it is certainly a *component* of security, placing control
- Original Message -
> From: "Justin Streiner"
> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> to accept in the v4 world.
NAT doesn't "equal" security.
But it is certainly a *component* of security, placing control of what internal
nodes are accessible
On 2/15/24 9:40 PM, Justin Streiner wrote:
The Internet edge and core portion of deploying IPv6 - dual-stack or
otherwise - is fairly easy. I led efforts to do this at a large .edu
starting in 2010/11. The biggest hurdles are/were/might still be:
1. Coming up with a good address plan that will
The Internet edge and core portion of deploying IPv6 - dual-stack or
otherwise - is fairly easy. I led efforts to do this at a large .edu
starting in 2010/11. The biggest hurdles are/were/might still be:
1. Coming up with a good address plan that will do what you want and scale
as needed. It
It appears that Stephen Satchell said:
>Several people in NANOG have opined that there are a number of mail
>servers on the Internet operating with IPv6 addresses. OK. I have a
>mail server, which has been on the Internet for decades. On IPv4.
>
>For the last four years, every attempt to get
Well all that shows is that your ISP is obstructionist. If they can can enter
a PTR record or delegate the reverse range to you for your IPv4 server they can
do it for your IPv6 addresses. In most cases it is actually easier as address
space is assigned on nibble boundaries (/48, /52, /56,
45 matches
Mail list logo
