[170065] in North American Network Operators' Group
RE: misunderstanding scale
daemon@ATHENA.MIT.EDU (Naslund, Steve)
Sun Mar 23 23:08:13 2014
From: "Naslund, Steve" <SNaslund@medline.com>
To: Timothy Morizot <tmorizot@gmail.com>, Mike Hale <eyeronic.design@gmail.com>
Date: Mon, 24 Mar 2014 03:07:19 +0000
In-Reply-To: <CAFy81r=4Wab901U4VAW24P-3URXX9P0xb_464NHonuR6MAFh6g@mail.gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I am not sure I agree with the basic premise here. NAT or Private address=
ing does not equal security.
A globally routable address does not necessarily mean globally accessible.=
Any enterprise that cares a wit about network security is going to have a=
firewall. If you are relying on NAT to protect hosts that have private ad=
dresses then you are already in a world of hurt so it won't matter much tha=
t IPv6 increases your attack surface because it is already pretty weak. In=
fact the enterprises running v4 better worry there first. They don't have=
to worry about the v6 stack too much because their network is not routing =
v6 yet so are only vulnerable within the network borders or subnets.
I think even residential users mostly know that a private address does not=
make you safe. The same tools that protect your v4 machine are still nece=
ssary to protect a v6 machine.
In fact, just because I have an IPv6 allocation does not mean I have to all=
ow the world to route to them. There is no reason that a proxy cannot be u=
sed on the v6 space you have internally and there is no reason I can't poin=
t an entire address range at the outside interface of my firewall. The onl=
y difference here is that my firewall no longer has to NAT addresses. =20
Thinking of NAT as a security mechanism is not viable for either address sp=
ace.
An enterprise with a respectable firewall can easily choose to allow or dis=
allow access to any range of addresses that they wish so I don't see much d=
ifference between IPv6 and IPv4. I would think in most enterprise models y=
ou would have a group of addresses that can be reached from the outside wor=
ld according to some policy (the DMZ or public NATs in v4 world) and the re=
mainder only have access outbound according to policy (your private space b=
ehind your NAT v4 addresses in that world). I don't see how v6 massively c=
hanges things for the enterprise and the residential user can easily be pro=
tected behind a simple consumer firewall.
As far as printers being a more dangerous attack vector than computers, I d=
efinitely don't buy that argument. It does not change in v4 or v6. Assumi=
ng that both stacks are vulnerable to attack I would be less worried about =
the printer because I am not aware of any of my printers running malware in=
v4. I think the PC platform being much more complex and having many more =
interfaces for active programming like DLLs, Java, ActiveX, etc, are much m=
ore the threat. I personally have not seen a DDoS attack launched by print=
ers (they may exist but I am not aware of them). If I was going to design =
an attack for a printer, I would think that data theft would be the most d=
angerous. I have wondered about multifunction printers emailing print data=
to someone but I have never seen that yet.
Steven Naslund
Chicago IL
On Mar 23, 2014 8:44 PM, "Mike Hale" <eyeronic.design@gmail.com> wrote:
> "Your attack surface has already expanded whether or not you deploy IPv6.=
"
> Not so. If I don't enable IPv6 on my hosts, the attacker can yammer=20
> away via IPv6 all day long with no result.
.