[190072] in North American Network Operators' Group
Re: Netflix banning HE tunnels
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jun 14 17:54:20 2016
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <op.yi19mekgtfhldh@rbeam.xactional.com>
Date: Tue, 14 Jun 2016 14:54:13 -0700
To: Ricky Beam <jfbeam@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Jun 14, 2016, at 11:57 , Ricky Beam <jfbeam@gmail.com> wrote:
>=20
> On Sun, 12 Jun 2016 19:47:18 -0400, Owen DeLong <owen@delong.com> =
wrote:
>>> NAT may not be security, yet it's the only thing securing billions =
of people.
>>=20
>> Nope=E2=80=A6 NAT Can=E2=80=99t be done without stateful inspection.
>=20
> Negative.
> - 1:1 NAT (inside address A =3D=3D outside address B) requires no =
state of any kind.
Sigh=E2=80=A6 This is not the kind of NAT we are talking about here. We =
are talking about address multiplexing NAT.
1:1 NAT provides no security whatsoever, either.
> - Connection Tracking is not stateful inspection
Yes, actually, it is a form of stateful inspection.
> - NAT Helpers / ALG / etc. (things that look for embedded addresses) =
aren't "stateful inspection=E2=80=9D
Yes, actually, they are part of the more general category of stateful =
inspection.
> The only "security" one gets from NAT comes from the lack of outside =
visibility through the NAT. An outside host cannot initiate a connection =
to any specific inside host of their choosing.
If you are doing 1:1 NAT without stateful inspection, you don=E2=80=99t =
get this.
> I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6 =
traffic. IPv4 goes through NAT, so one gets the pseudo-security of not =
being directly touchable from the internet.
Those are by definition poorly designed CPE. We used (and arguably still =
do) have lots of poorly designed IPv4 CPE, too.
Blaming the protocol for bad CPE design is kind of silly.
Each and every one of those CPEs you describe _IS_ doing some form of =
stateful inspection of the packet in order to be able to perform its =
translation function or drop the unrelated packet.
An open 1:1 NAT with no stateful inspection is no more secure than a =
direct route. Changing the packet header doesn=E2=80=99t make you any =
less reachable.
In fact, it further proves my point that no security comes from the NAT =
itself, but, rather from the validation of inbound packets as to whether =
they match an existing outbound session or not. That validation, however =
it is done, _IS_ stateful inspection. Without it, you=E2=80=99ve offered =
no security advantage and prevented no reachability.
Owen
