[170121] in North American Network Operators' Group
RE: misunderstanding scale
daemon@ATHENA.MIT.EDU (Naslund, Steve)
Mon Mar 24 12:57:18 2014
From: "Naslund, Steve" <SNaslund@medline.com>
To: William Herrin <bill@herrin.us>, Karl Auer <kauer@biplane.com.au>
Date: Mon, 24 Mar 2014 16:43:04 +0000
In-Reply-To: <CAP-guGUhOYXDuuwZtYO0YFKfBxto+0+T2w4+KSCQ7L=dzw=MQQ@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I think it would be just as easy to claim that breaking the end-to-end mode=
l is more of a security concern that lack of NAT. Having the NAT is essent=
ially condoning a permanent man-in-the-middle. A lot of customers do belie=
ve that NAT adds to their security. I would advise them however that it pr=
obably offers a lot less than they think. It is a very common technique ge=
t an inside computer to establish a connection out to a bad host. That's h=
ow most of the malware today works (through the "extra layer of defense tha=
t NAT provides),so I am not seeing how much worse IPv6 would make things. =
If you are going to allow inbound connections to your internal machines fro=
m anywhere you are unsecure. How hard is it to block inbound connections w=
ith a firewall? If the user cannot accomplish that then there is not much =
we can do to save them.
I suppose NAT could add some sort of minimal additional assurance but if yo=
u cannot pull off a simple firewall or routing policy you are already unabl=
e to adequately secure your network.
I see no technical reason that someone could not implement a transparent pr=
oxy whether it is v4 or v6. It does not really violate the end-to-end mode=
l because the proxy connects to the remote system and the local system conn=
ects to the proxy so there really is not an end-to-end connection as much a=
s there are two separate connections. For that matter, is there really a t=
echnical reason that you could not do a NAT if you wanted to with IPv6? Al=
l we are really talking about here is replacing one address with another. =
Could you not get something similar by translating a routable IPv6 address =
to a link local address? I don't think I would want to but I suppose you c=
ould if you are really married to NAT and private addressing.
I, for one, will not miss NAT very much. I have seen quite a few misconfig=
ured NATs and holes being punched through firewalls because applications do=
n't like NATs to believe that they are at least as much trouble as they are=
worth as a security feature.
Steven Naslund
-----Original Message-----
From: William Herrin [mailto:bill@herrin.us]=20
Sent: Monday, March 24, 2014 11:21 AM
To: Karl Auer
Cc: nanog@nanog.org
Subject: Re: misunderstanding scale
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer@biplane.com.au> wrote:
> Addressable is not the same as
> accessible; routable is not the same as routed.
Indeed. However, all successful security is about _defense in depth_.
If it is inaccessible, unrouted, unroutable and unaddressable then you have=
four layers of security. If it is merely inaccessible and unrouted you hav=
e two.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls C=
hurch, VA 22042-3004
