[170240] in North American Network Operators' Group
RE: misunderstanding scale
daemon@ATHENA.MIT.EDU (Naslund, Steve)
Tue Mar 25 10:18:12 2014
From: "Naslund, Steve" <SNaslund@medline.com>
To: Alexander Lopez <alex.lopez@opsys.com>
Date: Tue, 25 Mar 2014 14:17:28 +0000
In-Reply-To: <17c4fe20bcf74f80b749d234c9c2df6b@BN1PR04MB250.namprd04.prod.outlook.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>>=20
>> Look at it this way. If I see an attack coming from behind your NAT,=20
>> I'm gonna deny all traffic coming from your NAT block until you assure=20
>> me you have it fixed because I have no way of knowing which host it is=20
>> coming from. Now your whole network is unreachable. If you have a=20
>> compromised GUA host I can block only him. Better for both of us, no?
>That is assuming that the infected piece does not request another address =
in the /64, and that the person blocking at the target end blocks a /128 in=
stead of the /64.
I suppose that's possible and you could respond to that by blocking more ad=
dresses or the entire /64 if you want. The difference is that by seeing th=
e actual address of the remote system you get to decide rather than blockin=
g an entire corporate network. It would be trivial to program a rule that =
if multiple addresses in the block are offending we escalate to a bigger bl=
ock.=20
>>=20
>> How about a single host spamming behind your NAT blocking your entire=20
>> corporate public network from email services? Anyone ever see that one.
>> Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to=20
>> deal with that.
>I don't want to try to even think about SMTP on IPv6. Reputation of email =
servers as well as the whole thought process of spam control rely on a list=
of IP address.
Yes, addresses that do not accurately represent the single system causing t=
he problem.
>IPv6 adds an entirely new aspect to it.
Well, if you mean the entirely new aspect is a list of hex addresses instea=
d of dotted decimal addresses I guess so. I personally would rather have a=
list of actual end system addresses than a list of addresses that represen=
t a mail server and several thousand other innocent devices behind a NAT. =
Might be easier to tell the system owner which system is compromised than t=
o call a large company and tell them one of their systems is compromised. =
It would also be nice to be able to allow legitimate email to a business pa=
rtner while blocking his compromised system only. =20
>>=20
>> Maybe GUAs will convince (scare) more enterprise users to actually=20
>> treat the internal network as an environment that needs to be secured=20
>> as well. We can only hope.
>>=20
>Most enterprise admins, segment their BYOD (wifi) network from the product=
ion network. Some will even use a different WAN ip for the wifi network or =
in the minimum block outbound request to well known services ports.
If they knew anything about security they would but I thought we were talki=
ng about the same guys that use NAT to secure their networks.
>I generally see where the only outbound connections allowed are http and h=
ttps. All other ports are blocked.
Maybe on the BYOD only networks but very few companies actually segregate t=
he BYOD devices from the general wifi access in a sophisticated way. Just =
look at how many wifi vendors actually support that well and how many compa=
nies can actually tell a corporate owned wifi device from a BYOD device. T=
o do that correctly requires something like a good machine certificate proc=
ess and complex stuff like 802.1x and TLS, most don't have it. Good luck w=
ith allowing only http and https and nothing else. My wifi users happen to=
like to be able to use IP softphones, have web conferences, and do lots of=
other stuff that uses more than those two protocols.
Steven Naslund
Chicago IL
