[111561] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

daemon@ATHENA.MIT.EDU (Stephen Sprunk)
Sat Feb 7 14:32:02 2009

Date: Sat, 07 Feb 2009 13:31:57 -0600
From: Stephen Sprunk <stephen@sprunk.org>
To: Matthew Moyle-Croft <mmc@internode.com.au>
In-Reply-To: <498CFACA.1030101@internode.com.au>
Cc: Roger Marquis <marquis@roble.com>,
	north American Noise and Off-topic Gripes <nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org

This is a cryptographically signed message in MIME format.

--------------ms000303080702050000010405
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Matthew Moyle-Croft wrote:
> Stephen Sprunk wrote:
>> You must be very sheltered.  Most end users, even "security" folks at 
>> major corporations, think a NAT box is a firewall and disabling NAT 
>> is inherently less secure.  Part of that is factual: NAT (er, dynamic 
>> PAT) devices are inherently fail-closed because of their design, 
>> while a firewall might fail open.  Also, NAT prevents some 
>> information leakage by hiding the internal details of the site's 
>> network, and many folks place a high value on "security" through 
>> obscurity.  This is understandable, since the real threats -- 
>> uneducated users and flawed software -- are ones they have no power 
>> to fix.
> It's also worth pointing out that CPE for DSL often has really poor 
> stateful firewall code.  So often turning it off means less issues for 
> home users.

I assume you're referring to ALG code?  Indeed, I've found that turning 
off ALGs in NAT/FW boxes fixes a lot of problems, because every vendor's 
seem to be broken in a different way.  I deal mainly with SIP these 
days, and the first step in any sort of firewall-related troubleshooting 
is to turn _off_ any SIP ALG functionality in the CPE because 90% of the 
time, that's whats breaking things; the end devices can deal with NAT as 
long as there's nobody in the middle mangling their packets.  Ideally, 
ALGs would fix up the packets such that the endpoints didn't need to be 
NAT-aware, but they're all (and I mean all, not most) so hideously 
broken that they make things worse, not better.  They can't get even 
simple, fossilized protocols like active FTP working most of the time; 
there's no way they'll do better with newer, more complicated ones like 
SIP or the dizzying array of P2P and IM protocols.

> At least NAT gives some semblance of protection.  IPv6 without NAT 
> might be awesome to some, but the reality is CPE is built to a price 
> and decent firewall code is thin on the ground.  I'm not hopeful of it 
> getting better when IPv6 starts to become mainstream.

Non-NAT firewalls do have some appeal, because they don't need to mangle 
the packets, just passively observe them and open pinholes when 
appropriate.  However, to be safe the endpoints cannot assume any 
firewalls in the path are going to work properly, and the absence of NAT 
makes it tougher for endpoints to detect firewalls' presence and react 
as needed...

> (In case it's not clear - I'm not talking about enterprise stuff - I'm 
> talking about CPE for domestic DSL/Cable users - please don't tell me 
> all about how cool NetScreen/PIX/ASA/<insert favourite fw> is for 
> enterprise).

I've found the "enterprise" NAT/FW gear to be worse: they attempt to 
implement more ALGs, but they do no better a job at implementing them 
than the less-ambitious consumer vendors, so more things break.

S

-- 
Stephen Sprunk         "God does not play dice."  --Albert Einstein
CCIE #3723         "God is an inveterate gambler, and He throws the
K5SSS        dice at every possible opportunity." --Stephen Hawking


--------------ms000303080702050000010405
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJBzCC
At4wggJHoAMCAQICEFkNnc5PR4SyuzPK7tBOkNAwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTExMDE5MDk1MFoX
DTA5MTExMDE5MDk1MFowRDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8G
CSqGSIb3DQEJARYSc3RlcGhlbkBzcHJ1bmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAu1acv8o2sG+Npj/JMg2NI90BBfw4+qtHaanVWrnApTfaqH3Z6W1FUY5JNO+d
XSgYe8V54kPuUK1w9uiqKCgBrQy87lXfJ2elbXjN+KPGAKmbrxCFCfEwHFll1nFlgER9MHJJ
AT8L7r7h+uRxABjvyrOMCXkgG4RiNaFPiyvH4Rqb9R0NxcawaKCzMh11Q+uRgyv1Or8ajYuD
R+9Jm6VNxKFwY+e0JjAUzD28viKJcafK60UFdIRyGKrHYM0K44kKcsmiQV7nsGo4mM7QVsV5
PyKD8Ea5BV/6orxKviKwq4yff+rr++zQxHlQa8tzMnrPQSl9f2C9tbQ/GGnodjaExQIDAQAB
oy8wLTAdBgNVHREEFjAUgRJzdGVwaGVuQHNwcnVuay5vcmcwDAYDVR0TAQH/BAIwADANBgkq
hkiG9w0BAQUFAAOBgQAqaXuxwkf+k8FyHecPNHdLCViVnza6NoBi+8LP+u8Io1BZDn5oa8Gf
20DXN2sHQRRqCIsFNCBDG86T/zWzb7UYcToxCONu0IEA8UfP4y9Qdp2/IU68T0tfzwddEIhb
jQMoEGKaS9NDFRyJR8RyU4EUgjIJOe8iOCt47TvhqCo4oDCCAt4wggJHoAMCAQICEFkNnc5P
R4SyuzPK7tBOkNAwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo
YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG
cmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTExMDE5MDk1MFoXDTA5MTExMDE5MDk1MFowRDEf
MB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJARYSc3RlcGhl
bkBzcHJ1bmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1acv8o2sG+N
pj/JMg2NI90BBfw4+qtHaanVWrnApTfaqH3Z6W1FUY5JNO+dXSgYe8V54kPuUK1w9uiqKCgB
rQy87lXfJ2elbXjN+KPGAKmbrxCFCfEwHFll1nFlgER9MHJJAT8L7r7h+uRxABjvyrOMCXkg
G4RiNaFPiyvH4Rqb9R0NxcawaKCzMh11Q+uRgyv1Or8ajYuDR+9Jm6VNxKFwY+e0JjAUzD28
viKJcafK60UFdIRyGKrHYM0K44kKcsmiQV7nsGo4mM7QVsV5PyKD8Ea5BV/6orxKviKwq4yf
f+rr++zQxHlQa8tzMnrPQSl9f2C9tbQ/GGnodjaExQIDAQABoy8wLTAdBgNVHREEFjAUgRJz
dGVwaGVuQHNwcnVuay5vcmcwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAqaXux
wkf+k8FyHecPNHdLCViVnza6NoBi+8LP+u8Io1BZDn5oa8Gf20DXN2sHQRRqCIsFNCBDG86T
/zWzb7UYcToxCONu0IEA8UfP4y9Qdp2/IU68T0tfzwddEIhbjQMoEGKaS9NDFRyJR8RyU4EU
gjIJOe8iOCt47TvhqCo4oDCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa
MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTEr
MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcw
MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg
Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1h
aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065ypla
HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FW
y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3Js
MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0x
MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYf
qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9l
X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQWQ2dzk9H
hLK7M8ru0E6Q0DAJBgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
CSqGSIb3DQEJBTEPFw0wOTAyMDcxOTMxNTdaMCMGCSqGSIb3DQEJBDEWBBTXam9E9Yz2Y2Oj
xQ8yjd2LlBGNjDBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIA
gDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAE
MXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFkN
nc5PR4SyuzPK7tBOkNAwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMG
A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFkNnc5PR4SyuzPK7tBOkNAwDQYJKoZIhvcN
AQEBBQAEggEAQqw2y8bXqeEjtr+C8WAY94nHCq7L0C1RTqaY3Y0yblpSZLSUs9m04Tnr1fcb
UNp9IRDbNYrXvH4eXxpvoCaTgZAS60xysPC5kYgJwFCuJZhejFsAASTVsA5TtOk58zHpqac0
IVRjswI1eCFmEnFL8Sem+rGp11MFy97t/YqoZtSYecfJNYZ85XN4JsS1xi5y3pslLycEl5zc
eABmTBdFwjqf4CAVCbjpM+xvV7/zSf6MsjNehwxvEPel55yVRh6C90uLbYBt+ZZZlkf1icBs
Kyre+//C2pTBEsd1wxkjKnYdCro9XbHZdVfQEa/bl1yR0PkReUyTtM3iLbOR2Q+vKgAAAAAA
AA==
--------------ms000303080702050000010405--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[111561] in North American Network Operators' Group

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

daemon@ATHENA.MIT.EDU (Stephen Sprunk)Sat Feb 7 14:32:02 2009

daemon@ATHENA.MIT.EDU (Stephen Sprunk)
Sat Feb 7 14:32:02 2009
