[170065] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

RE: misunderstanding scale

daemon@ATHENA.MIT.EDU (Naslund, Steve)
Sun Mar 23 23:08:13 2014

From: "Naslund, Steve" <SNaslund@medline.com>
To: Timothy Morizot <tmorizot@gmail.com>, Mike Hale <eyeronic.design@gmail.com>
Date: Mon, 24 Mar 2014 03:07:19 +0000
In-Reply-To: <CAFy81r=4Wab901U4VAW24P-3URXX9P0xb_464NHonuR6MAFh6g@mail.gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

I am not sure I agree with the basic premise here.   NAT or Private address=
ing does not equal security.

 A globally routable address does not necessarily mean globally accessible.=
  Any enterprise that cares a wit about network security is going to have a=
 firewall.  If you are relying on NAT to protect hosts that have private ad=
dresses then you are already in a world of hurt so it won't matter much tha=
t IPv6 increases your attack surface because it is already pretty weak.  In=
 fact the enterprises running v4 better worry there first.  They don't have=
 to worry about the v6 stack too much because their network is not routing =
v6 yet so are only vulnerable within the network borders or subnets.

 I think even residential users mostly know that a private address does not=
 make you safe.  The same tools that protect your v4 machine are still nece=
ssary to protect a v6 machine.

In fact, just because I have an IPv6 allocation does not mean I have to all=
ow the world to route to them.  There is no reason that a proxy cannot be u=
sed on the v6 space you have internally and there is no reason I can't poin=
t an entire address range at the outside interface of my firewall.  The onl=
y difference here is that my firewall no longer has to NAT addresses. =20

Thinking of NAT as a security mechanism is not viable for either address sp=
ace.

An enterprise with a respectable firewall can easily choose to allow or dis=
allow access to any range of addresses that they wish so I don't see much d=
ifference between IPv6 and IPv4.  I would think in most enterprise models y=
ou would have a group of addresses that can be reached from the outside wor=
ld according to some policy (the DMZ or public NATs in v4 world) and the re=
mainder only have access outbound according to policy (your private space b=
ehind your NAT v4 addresses in that world).  I don't see how v6 massively c=
hanges things for the enterprise and the residential user can easily be pro=
tected behind a simple consumer firewall.

As far as printers being a more dangerous attack vector than computers, I d=
efinitely don't buy that argument.  It does not change in v4 or v6.  Assumi=
ng that both stacks are vulnerable to attack I would be less worried about =
the printer because I am not aware of any of my printers running malware in=
 v4.  I think the PC platform being much more complex and having many more =
interfaces for active programming like DLLs, Java, ActiveX, etc, are much m=
ore the threat.  I personally have not seen a DDoS attack launched by print=
ers (they may exist but I am not aware of them).  If I was going to design =
an attack for a printer, I would think that data theft would  be the most d=
angerous.  I have wondered about multifunction printers emailing print data=
 to someone but I have never seen that yet.

Steven Naslund
Chicago IL



On Mar 23, 2014 8:44 PM, "Mike Hale" <eyeronic.design@gmail.com> wrote:
> "Your attack surface has already expanded whether or not you deploy IPv6.=
"
> Not so.  If I don't enable IPv6 on my hosts, the attacker can yammer=20
> away via IPv6 all day long with no result.
.


home help back first fref pref prev next nref lref last post