[125669] in North American Network Operators' Group
Re: Rate of growth on IPv6 not fast enough?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Apr 21 00:31:40 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <1271813655.6417.431.camel@karl>
Date: Tue, 20 Apr 2010 21:27:14 -0700
To: Karl Auer <kauer@biplane.com.au>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 20, 2010, at 6:34 PM, Karl Auer wrote:
> On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote:
>> On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote:
>>> NAT _always_ fails-closed
>> Stateful Inspection can be implemented fail-closed.
>
> Not to take issue with either statement in particular, but I think there
> needs to be some consideration of what "fail" means.
>
I believe we are talking about the case where some engineer fat-fingers
a change and Roger's claim is that a stateful inspection without NAT
box will permit unintended traffic while a NAT box will not.
My claim is that the stateful inspection box can be implemented such
that it has an equally secure set of failure modes for fat-fingering to
a NAT+stateful inspection device.
>
> Reading through the security alerts from any vendor is a pretty sobering
> process - stuff fails open more often than you might expect.
>
Yep.
> So I think we should be very cautious about saying that things "fail
> open" or "fail closed".
>
My point is not that they do or do not fail closed, but, that a well designed
SI firewall will fail with the exact same security risks as a NAT device.
> We should be especially cautious about it when the functionality we are
> interested in is really no more than a happy side effect of some other
> functionality. NAT's "security", to the extent that it exists at all, is
> a side effect of what it is intended to do, which is translate and map
> addresses.
>
IOW, All of NAT's security comes from the fact that it requires a state
table, like stateful inspection.
Owen
