[170208] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Mar 24 23:31:00 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <B3B938B5-3669-4B4F-81CC-A82E52CBDD5F@heliacal.net>
Date: Mon, 24 Mar 2014 20:22:10 -0700
To: Laszlo Hanyecz <laszlo@heliacal.net>
Cc: North American Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 24, 2014, at 10:35 AM, Laszlo Hanyecz <laszlo@heliacal.net> =
wrote:
>=20
> On Mar 24, 2014, at 5:05 PM, "Patrick W. Gilmore" <patrick@ianai.net> =
wrote:
>=20
>> On Mar 24, 2014, at 12:21, William Herrin <bill@herrin.us> wrote:
>>> On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve =
<SNaslund@medline.com> wrote:
>>=20
>>>> I am not sure I agree with the basic premise here. NAT or Private =
addressing does not equal security.
>>=20
>>> Many of the folks you would have deploy IPv6 do not agree. They take
>>> comfort in the mathematical impossibility of addressing an internal
>>> host from an outside packet that is not part of an ongoing session.
>>> These folks find that address-overloaded NAT provides a valuable
>>> additional layer of security.
>>>=20
>>> Some folks WANT to segregate their networks from the Internet via a
>>> general-protocol transparent proxy. They've had this capability with
>>> IPv4 for 20 years. IPv6 poorly addresses their requirement.
>>=20
>=20
> It's unfortunate that it is the way it is, but many enterprise people =
have this ingrained in them - they don't want to be connected to the =
internet except for a few exceptions. Just the fact that they can't =
ping their machines gives them a warm and fuzzy. In a run-of-the-mill =
default NAT setup, you can deploy a network printer with no security and =
nobody from the internet can print to it. It's default deny, even =
without setting anything else up, by virtue of not being on the internet =
and not having an address. I know there are ways to subvert a NAT but =
that applies to perimeter and host firewalls too. IPv6 global numbers =
are great for those of us that actually want to connect to the internet, =
but enterprise people with rfc1918 numbering have gotten used to being =
disconnected, and while most of us know that it's trivial to firewall =
IPv6, it's still a big jump from using a NAT/proxy to being 'on the =
internet'. It's even more complex if it's only halfway and there are =
two different protocols to manage.
This mindset is why so many printers are delivering copies of everything =
printed to $badguy without the knowledge of many IT departments.
You may not be able to print to it, but really, if you had access to a =
random printer somewhere, how many people would really want to print to =
it?
In my experience, having had such a device on line as an experiment for =
several years, it=92s a very small number. In more than 5 years with =
such a device on line with no NAT, no packet filter, nothing, only 3 =
print jobs came in from unauthorized users. Lots of other things were =
done to the printer to try and get it to do various things a printer =
just shouldn=92t do.
Now, just having the printer behind NAT doesn=92t prevent that, because =
likely someone who has access to the printer inside the organization =
will download some piece of malware that reprograms the printer as =
desired, eliminating the need to compromise the printer through the NAT.
> People will always resist change, and in this case, why should they =
change when it's only going to make their job harder? Makes sense to =
me, but I wish it weren't that way. They will probably just find ways =
to proxy and NAT IPv6 too, so that it fits the IPv4 model with 'private' =
addresses.
I suppose it=92s possible, but I think, so far, education actually seems =
to be making progress. Please don=92t give up hope yet.
Owen
