[64709] in North American Network Operators' Group
Re: IPv6 NAT
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Oct 31 11:06:19 2003
Date: Fri, 31 Oct 2003 08:03:18 -0800
From: Owen DeLong <owen@delong.com>
To: Stephen Sprunk <stephen@sprunk.org>,
Tony Hain <alh-ietf@tndh.net>,
"Kuhtz, Christian" <christian.kuhtz@bellsouth.com>,
Michael.Dillon@radianz.com
Cc: North American Noise and Off-topic Gripes <nanog@merit.edu>
In-Reply-To: <032c01c39fb5$8460f6f0$6401a8c0@ssprunk>
Errors-To: owner-nanog-outgoing@merit.edu
--==========943D7B965E3F65B3FB4E==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
--On Friday, October 31, 2003 7:35 AM -0600 Stephen Sprunk=20
<stephen@sprunk.org> wrote:
>
> Thus spake "Tony Hain" <alh-ietf@tndh.net>
>> Kuhtz, Christian wrote:
>> > All hairsplitting aside, given that the term NAT these days is mostly
> used
>> > in a PAT (particularly in a customer connecting to the I) context, =
what
>> > isn't secure about?
>>
>> mangling the header doesn't provide any security, and if you believe it
>> does, do the following exercise:
>
> Mangling the header does not, but the stateful inspection and blocking
> used by a dynamic NAT/NAPT certainly does.
>
The point is that the stateful inspection/blocking can be achieved without
NAT/PAT/NAPT.
>> A stateful filter that is automatically populated by traffic originated
> from
>> the private side is what is providing 'security'. That function existed
>> in routers long before NAT was specified by the IETF (see RFC1044 for
>> vendor).
>
> True. But consumers can't buy a RFC1044 device off the shelf today; what
> they can buy are generic NAT/NAPT devices which provide a minimal
> firewalling function _iff_ the user doesn't intentionally create holes.
> While it'd be nice if these devices didn't _require_ NAT/NAPT for their
> minimal operating mode, that's the configuration that is most likely to
> work in the setting it's intended for.
>
I'm not sure about RFC1044, but, it's relatively easy to buy lots of
devices that will do stateful inspection without NAT off the shelf.
Any version of *NIX with iptables or ipchains, some Cisco routers,
Various Checkpoint software products, Cyberguard firewalls, Nokia,
Sonic, Netscreen, NetGuard, and others all support Stateful
inspection with or without NAT/PAT/NAPT.
There is NO security benefit to NAT/PAT/NAPT. There is a security benefit
to stateful inspection. NAT is harmful to many protocols. Stateful
inspection is not.
Owen
--=20
If it wasn't signed, it probably didn't come from me.
--==========943D7B965E3F65B3FB4E==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
iD8DBQE/oofGn5zKWQ/iqj0RAkvdAJ9EMz1hdmqlGCKQd1eQXb2lKCiu6gCcDn7P
Gon1Fg6cZCjufPanG6Mr0OI=
=UTFq
-----END PGP SIGNATURE-----
--==========943D7B965E3F65B3FB4E==========--
