[170133] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (Laszlo Hanyecz)
Mon Mar 24 13:54:26 2014
From: Laszlo Hanyecz <laszlo@heliacal.net>
In-Reply-To: <7053AFC7-45DB-4361-B201-906308B34224@ianai.net>
Date: Mon, 24 Mar 2014 17:35:18 +0000
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: North American Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 24, 2014, at 5:05 PM, "Patrick W. Gilmore" <patrick@ianai.net> =
wrote:
> On Mar 24, 2014, at 12:21, William Herrin <bill@herrin.us> wrote:
>> On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve =
<SNaslund@medline.com> wrote:
>=20
>>> I am not sure I agree with the basic premise here. NAT or Private =
addressing does not equal security.
>=20
>> Many of the folks you would have deploy IPv6 do not agree. They take
>> comfort in the mathematical impossibility of addressing an internal
>> host from an outside packet that is not part of an ongoing session.
>> These folks find that address-overloaded NAT provides a valuable
>> additional layer of security.
>>=20
>> Some folks WANT to segregate their networks from the Internet via a
>> general-protocol transparent proxy. They've had this capability with
>> IPv4 for 20 years. IPv6 poorly addresses their requirement.
>=20
It's unfortunate that it is the way it is, but many enterprise people =
have this ingrained in them - they don't want to be connected to the =
internet except for a few exceptions. Just the fact that they can't =
ping their machines gives them a warm and fuzzy. In a run-of-the-mill =
default NAT setup, you can deploy a network printer with no security and =
nobody from the internet can print to it. It's default deny, even =
without setting anything else up, by virtue of not being on the internet =
and not having an address. I know there are ways to subvert a NAT but =
that applies to perimeter and host firewalls too. IPv6 global numbers =
are great for those of us that actually want to connect to the internet, =
but enterprise people with rfc1918 numbering have gotten used to being =
disconnected, and while most of us know that it's trivial to firewall =
IPv6, it's still a big jump from using a NAT/proxy to being 'on the =
internet'. It's even more complex if it's only halfway and there are =
two different protocols to manage.
People will always resist change, and in this case, why should they =
change when it's only going to make their job harder? Makes sense to =
me, but I wish it weren't that way. They will probably just find ways =
to proxy and NAT IPv6 too, so that it fits the IPv4 model with 'private' =
addresses.
Just look at what's been happening with UDP floods. It's scared people =
enough that some are just blocking certain UDP ports or UDP completely. =
I imagine we will soon see some big IPv6 specific attacks that result in =
crashing hosts/routers, and that will just make people resist it harder, =
because why would they want that headache? I think in a lot of =
situations, unless their business is networking specifically, the =
network is considered good enough if you can browse (most) webpages. =
For IPv6 only sites, that could be accomplished with a web proxy setting =
on all the desktops. It's not really right, it's inefficient, error =
prone and bunch of other things, but that doesn't mean people won't do =
it. They do all this today with v4 anyway, so if anything, the 'wrong =
way' is easier there since they're used to doing it.
There has to be some big compelling reason to convince people that =
global addressing is the right way. We all know the reasons but they're =
obviously not good enough for enterprise security people.
-Laszlo
> NAT i s not required for the above. Any firewall can stop incoming =
packets unless they are part of an established session. NAT doesn't add =
much of anything, especially given that you can have one-to-one NAT.
>=20
> --=20
> TTFN,
> patrick
>=20
>=20
