[135050] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sat Jan 15 17:07:00 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20EB8EFD-44A4-49D2-9B3A-C55D133BFF21@smtps.net>
Date: Sat, 15 Jan 2011 14:01:46 -0800
To: Brian Keefer <chort@smtps.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 15, 2011, at 1:16 PM, Brian Keefer wrote:
> On Jan 12, 2011, at 9:21 AM, George Bonser wrote:
>=20
>>>=20
>>> I'd eat a hat if a vendor didn't implement a PAT equivalent. It's
>>> demanded too much. There is money for it, so it will be there.
>>>=20
>>>=20
>>> Jack
>>=20
>> Yeah, I think you are right. But in really thinking about it, I =
wonder
>> why. The whole point of PAT was address conservation. You don't =
need
>> that with v6. All you need to do with v6 is basically have what =
amounts
>> to a firewall in transparent mode in the line and doesn't let a =
packet
>> in (except where explicitly configure to) unless it is associated =
with a
>> packet that went out.
>>=20
>> PAT makes little sense to me for v6, but I suspect you are correct. =
In
>> addition, we are putting the "fire suit" on each host in addition to =
the
>> firewall. Kernel firewall rules on each host for the *nix boxen. =20
>=20
> Actually there are a couple very compelling reasons why PAT will =
probably be implemented for IPv6:
> 1.) Allows you to redirect a privileged port (on UNIX) to a =
non-privileged port. For daemons that don't implement some form of =
privilege revoking after binding to a low port (and/or aren't allowed to =
run as root), this is very useful. It's much easier to have a firewall =
redirect than to implement robust privilege revoking. Example: PAT =
25/tcp -> 2525/tcp.
>=20
Actually, that's just port rewriting which is mostly harmless. PAT =
refers, instead, to a stateful
translation which is most definitely not harmless.
> 2.) Allows you to redirect multiple ports to a single one, to support =
legacy implementations. Suppose your application used to require =
separate ports for different types of requests, but now is able to =
multiplex them. The new daemon only listens on one port, but other =
applications may not have updated their configuration. Example: PAT =
4443/tcp -> 443/tcp & PAT 8443/tcp -> 443/tcp.
>=20
That's a pretty ugly situation, but, it would require a stateful =
mechanism to address it. I think it is much cleaner to have the daemon =
listen on the multiple ports.
> Basically the idea is that implementing PAT for IPv6 allows smoother =
transition for apps that made use of it in IPv4, thus accelerating the =
adoption of IPv6.
>=20
I think the lack of IPv4 resources will soon serve as sufficient =
acceleration of IPv6 adoption.
Owen
