[82223] in North American Network Operators' Group
Re: mh (RE: OMB: IPv6 by June 2008)
daemon@ATHENA.MIT.EDU (Daniel Senie)
Sat Jul 9 09:41:06 2005
Date: Sat, 09 Jul 2005 09:40:16 -0400
To: David Andersen <dga+@cs.cmu.edu>
From: Daniel Senie <dts@senie.com>
Cc: nanog@merit.edu
In-Reply-To: <2a398393c84e52bfed36830e060cd193@cs.cmu.edu>
Errors-To: owner-nanog@merit.edu
At 03:51 PM 7/7/2005, David Andersen wrote:
>On Jul 7, 2005, at 3:41 PM, Andre Oppermann wrote:
>
>>
>>Fergie (Paul Ferguson) wrote:
>> >
>>>I'd have to counter with "the assumption that NATs are going
>>>away with v6 is a rather risky assumption." Or perhaps I
>>>misunderstood your point...
>>
>>There is one thing often overlooked with regard to NAT. That is,
>>it has prevented many network based worms for millions of home
>>users behind NAT devices. Unfortunatly this fact is overlooked
>>all the time. NAT has its downsides but also upsides sometimes.
>
>Yes, but keep in mind that this benefit is completely unrelated to
>NAT's purpose as an address space extender. A stateful firewall
>with a very simple rule (permit anything originated from the inside,
>deny anything from outside except a few pesky protocols) would
>accomplish exactly the same goal.
Indeed, the fact that most NAT implementations combine the address
translation with stateful inspection (given it's the simplest way to
implement NAPT, IMO), this is the case.
>And it would be much easier to punch holes through when you needed to.
No, it's the same. With a stateful inspection firewall operating as a
transparent bridge or as a router, you still need to specify which
protocols, ports and addresses to permit. It's exactly the same.
> From my perspective, the biggest benefit from home NAT devices is
> that they were a vehicle for delivering such a firewall to millions
> of windows boxes. Unfortunately, this drug comes with a number of
> harmful side effects, including nausea, blurred vision, and the
> inability to deploy a number of new protocols.
The inability to deploy new protocols is exactly the same in many
cases for a stateful inspection box on public addresses vs. a
stateful inspection box doing NAT. The firewall must be aware of the
protocol to permit it at all, and if there's going to be any hope of
protecting the less secure equipment behind, those firewall devices
must understand the details of the protocol. That still requires the
vendor to do work.
Yes, the address translations still add another layer of trouble in
that passing endpoint identifiers (which unfortunately are the same
as IP addresses, given a lack of a host identification mechanism
other than IP address) creates problems for protocol developers.
However in most cases a good protocol design can be arrived at which
does not run into these difficulties. Such ideas were documented some
time ago by the IETF NAT WG as information to protocol designers.