[146530] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Leigh Porter)
Tue Nov 15 12:14:35 2011
From: Leigh Porter <leigh.porter@ukbroadband.com>
To: Owen DeLong <owen@delong.com>
Date: Tue, 15 Nov 2011 17:14:44 +0000
In-Reply-To: <F94EB274-D5AC-4018-927C-97E4F1114643@delong.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>, "McCall,
Gabriel" <Gabriel.McCall@thyssenkrupp.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 15 Nov 2011, at 15:36, "Owen DeLong" <owen@delong.com> wrote:
>=20
> On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote:
>=20
>>=20
>>=20
>> On 14 Nov 2011, at 18:52, "McCall, Gabriel" <Gabriel.McCall@thyssenkrup=
p.com> wrote:
>>=20
>>> Chuck, you're right that this should not happen- but the reason it sho=
uld not happen is because you have a properly functioning stateful firewal=
l, not because you're using NAT. If your firewall is working properly, the=
n having public addresses behind it is no less secure than private. And if=
your firewall is not working properly, then having private addresses behi=
nd it is no more secure than public. In either case, NAT gains you nothing=
over what you'd have with a firewalled public-address subnet.
>>=20
>>=20
>> Well this is not quite true, is it.. If your firewall is not working an=
d you have private space internally then you are a lot better off then if =
you have public space internally! So if your firewall is not working then =
having private space on one side is a hell of a lot more secure!
>>=20
> This is not true.
>=20
> If your firewall is not working, it should not be passing packets.
And of course, things always fail just the way we want them to.
>=20
> If you put a router where you needed a firewall, then, this is not a fai=
lure of the firewall, but, a
> failure of the network implementor and the address space will not have a=
ny impact whatsoever
> on your lack of security.
This is not really a well made point, sorry. It's about a firewall failing=
, perhaps due to software error or hardware issue or because somebody fail=
ed to correctly configure a firewall rule.=20
The point about private space is that is forces security in a way in which=
public space and a firewall does not.
With private space, you are forces to explicitly configure NAT holes or VP=
N connections whereas with public space your boxes by default are accessib=
le by the whole Internet. By default, on a private space network, nothing =
can get to it.
>=20
>> As somebody else mentioned on this thread, a NAT box with private space=
on=20one side fails closed.
>>=20
>=20
> So does a firewall.
If it fails just how you want it to.
--
Leigh
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email=20
______________________________________________________________________
