[125672] in North American Network Operators' Group
Re: Rate of growth on IPv6 not fast enough?
daemon@ATHENA.MIT.EDU (Mark Andrews)
Wed Apr 21 00:52:22 2010
To: Owen DeLong <owen@delong.com>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Tue, 20 Apr 2010 21:27:14 MST."
<FB17BC57-FAB3-45E1-886A-664A0FD42C9E@delong.com>
Date: Wed, 21 Apr 2010 14:51:37 +1000
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <FB17BC57-FAB3-45E1-886A-664A0FD42C9E@delong.com>, Owen DeLong write
s:
>
> On Apr 20, 2010, at 6:34 PM, Karl Auer wrote:
>
> > On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote:
> >> On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote:
> >>> NAT _always_ fails-closed
> >> Stateful Inspection can be implemented fail-closed.
> >
> > Not to take issue with either statement in particular, but I think there
> > needs to be some consideration of what "fail" means.
> >
> I believe we are talking about the case where some engineer fat-fingers
> a change and Roger's claim is that a stateful inspection without NAT
> box will permit unintended traffic while a NAT box will not.
>
> My claim is that the stateful inspection box can be implemented such
> that it has an equally secure set of failure modes for fat-fingering to
> a NAT+stateful inspection device.
Especially when the NAT/Router has a enable/disable NAT checkbox.
> > Reading through the security alerts from any vendor is a pretty sobering
> > process - stuff fails open more often than you might expect.
> >
> Yep.
>
> > So I think we should be very cautious about saying that things "fail
> > open" or "fail closed".
> >
> My point is not that they do or do not fail closed, but, that a well designed
> SI firewall will fail with the exact same security risks as a NAT device.
>
> > We should be especially cautious about it when the functionality we are
> > interested in is really no more than a happy side effect of some other
> > functionality. NAT's "security", to the extent that it exists at all, is
> > a side effect of what it is intended to do, which is translate and map
> > addresses.
> >
> IOW, All of NAT's security comes from the fact that it requires a state
> table, like stateful inspection.
>
> Owen
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
