[125637] in North American Network Operators' Group
Re: Rate of growth on IPv6 not fast enough?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Apr 20 16:07:45 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20100420193147.C69612B2128@mx5.roble.com>
Date: Tue, 20 Apr 2010 12:59:32 -0700
To: Roger Marquis <marquis@roble.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote:
> Jack Bates wrote:
>> .01%? heh. NAT can break xbox, ps3, certain pc games, screw with =
various
>> programs that dislike multiple connections from a single IP, and the
>> crap load of vpn clients that appear on the network and do not =
support
>> nat traversal (either doesn't support it, or big corp A refuses to
>> enable it).
>=20
> If this were really an issue I'd expect my nieces and nephews, all of =
whom are big
> game players, would have mentioned it. They haven't though, despite =
being behind
> cheap NATing CPE from D-Link and Netgear.
>=20
> Address conservation aside, the main selling point of NAT is its =
filtering of inbound
> session requests. NAT _always_ fails-closed by forcing inbound =
connections to pass
> validation by stateful inspection. Without this you'd have to depend =
on less
Repeating the same falsehood does not make it any less false.
> reliable (fail-open) mechanisms and streams could be initiated from =
the Internet at
> large. In theory you could enforce fail-closed reliably without NAT, =
but the rules
Stateful Inspection can be implemented fail-closed. I point to Juniper =
ScreenOS
and Services JunOS as examples of this. Absent a specific permit or =
specific
configuration telling it to pass particular traffic inbound, traffic =
must pass the same
stateful inspection that NAT would require. This is default behavior in =
those boxes.
The rules are not complex at all.
> would have to be more complex and complexity is the enemy of security. =
Worse, if
> non-NATed CPE didn't do adequate session validation, inspection, and =
tracking, as
Again, you simply are not correct here. I'm not sure what level of =
implementation is
available in low-end gear as it hasn't met my needs in a long long time. =
However,
I will say that although an SRX-100 is not especially low-end at 10x =
absolute low
end pricing and 5x average home gateway pricing, it is low-enough end =
that I
know this can be done in reasonable gear.
> low-end gear might be expected to cut corners on, end-user networks =
would be more
> exposed to nefarious outside-initiated streams.
>=20
Frankly, even with NAT, corner-cutting in those areas can lead to things =
passing which
you don't expect.
> Arguments against NAT uniformly fail to give credit to these security =
considerations,
Because they are false. It's not that they fail to give credit to them. =
It's that they know
them to be false. It's like saying that discussions of breathing gas =
fail to give credit
to the respiratory effects of the trace amounts of argon present in the =
atmosphere.
> which is a large reason the market has not taken IPv6 seriously =
to-date. Even in big
> business, CISOs are able to shoot-down netops recommendations for 1:1 =
address mapping
> with ease (not that vocal NAT opponents get jobs where internal =
security is a
> concern).
>=20
While I recognize that there is a group of people who religiously =
believe that NAT
has a security benefit, I don't think the represent a significant =
fraction of the reasons
IPv6 is not getting deployed. Frankly, many of them have more IPv6 =
deployed than
they realize and their NAT is not protecting them from it at all. It may =
even be helping
some of the nefarious traffic that may be taking advantage of the =
current situation
to remain safely anonymized and invisible.
Owen
