Interesting People mailing list archives
more on IPv6 Forum chief: the new Internet is ready for consumption
From: David Farber <dave () farber net>
Date: Mon, 28 Nov 2005 17:50:05 -0500
Begin forwarded message: From: "Steven M. Bellovin" <smb () cs columbia edu> Date: November 28, 2005 5:14:38 PM EST To: dave () farber netSubject: Re: [IP] more on IPv6 Forum chief: the new Internet is ready for consumption
I get rather tired of hearing this myth -- that NATs are a security feature, and that IPv6 will be less secure than IPv4 if it doesn't have NATs. It's flat-out not true. When a packet is emitted from the "inside" of a NAT box, some state is created, including source address and port number translation tables. When a packet arrives from the outside, the state table is consulted. If there is no state table entry, of the sort created by outgoing packets, the inbound packet is dropped. If the entry exists, some translations are done and the packet is forwarded. Now, instead, consider a classic stateful packet filter. When a packet is emitted from the "inside", some state is created. When a packet arrives from the outside, the state table is consulted. If there is no state table entry, of the sort created by outgoing packets, the inbound packet is dropped. If the entry exists, the packet is forwarded. In other words, the process and the security functionality is identical. The *only* difference is whether or not the translations are done. Evil packets still reach the gateway; security comes from this box consulting a state table. The translations have nothing whatsoever to do with it. Whether or not v6 will create a too rich, unmanageable environment is a separate issue. I agree that we need much better tools for managing devices at scale, especially by naive users. I've stated, very publicly, that improving systems administration is one of the most important things we can do to improve security. I'm not at all persuaded that giving up on networked devices is at all desireable. The partial solution we have today is firewalls. I agree 100% that firewalls are far from the best way to work; see, for example, slide 3 of http://www.cs.columbia.edu/~smb/talks/security-e2e.pdf, or http://www.cs.columbia.edu/~smb/papers/distfw.html. But a NAT box is *not* a firewall; it merely shares some attributes in common with one. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on IPv6 Forum chief: the new Internet is ready for consumption David Farber (Nov 28)
- <Possible follow-ups>
- more on IPv6 Forum chief: the new Internet is ready for consumption David Farber (Nov 28)
- more on IPv6 Forum chief: the new Internet is ready for consumption David Farber (Nov 28)
- more on IPv6 Forum chief: the new Internet is ready for consumption David Farber (Nov 28)