[82200] in North American Network Operators' Group
Re: mh (RE: OMB: IPv6 by June 2008)
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Fri Jul 8 16:19:29 2005
In-Reply-To: <0d9f3b938ce3e5ce1827a53152971837@cisco.com>
Cc: NANOG list <nanog@merit.edu>
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Fri, 8 Jul 2005 20:58:53 +0200
To: Fred Baker <fred@cisco.com>
Errors-To: owner-nanog@merit.edu
On 8-jul-2005, at 19:34, Fred Baker wrote:
> A NAT, in that context, is a stateful firewall that changes the
> addresses, which means that the end station cannot use IPSEC to
> ensure that it is still talking with the same system on the
> outside. It is able to use TLS, SSH, etc as transport layer
> solutions, but those are subject to attacks on TCP such as RST
> attacks, data insertion, acknowledge hacking, and so on, and SSH
> also has a windowing problem (on top of TCP's window, SSH has its
> own window, and in large delay*bandwidth product situations SSH's
> window is a performance limit). In other words, a NAT is a man-in-
> the-middle attack, or is a device that forces the end user to
> expose himself to man-in-the-middle attacks.
>
>
:-)
> A true stateful firewall that allows IPSEC end to end doesn't
> expose the user to those attacks.
>
>
I of course couldn't resist, so:
!
ipv6 access-list out-ipv6-acl
permit ipv6 any any reflect state-acl
!
ipv6 access-list in-ipv6-acl
evaluate state-acl
deny ipv6 any any log
!
(don't try this at home, kids: that deny any is dangerous because it
blocks neighbor discovery)
Unfortunately, IPsec (ESP transport mode) isn't allowed back in:
%IPV6-6-ACCESSLOGNP: list in-ipv6-acl/20 denied 50 2001:1AF8:2:5::2 -
> 2001:1AF8:6:0:20A:95FF:FEF5:246E, 29 packets
On second thought: how could it? The SPIs for outgoing and incoming
packets are different. I suppose it would be possible for the
stateful filter to snoop the ISAKMP protocol and install filter rules
based on the information found there, but that's obviously not what
happens.
