nanog mailing list archives
Re: IPv6 NAT
From: Owen DeLong <owen () delong com>
Date: Fri, 31 Oct 2003 08:03:18 -0800
--On Friday, October 31, 2003 7:35 AM -0600 Stephen Sprunk <stephen () sprunk org> wrote:
Thus spake "Tony Hain" <alh-ietf () tndh net>Kuhtz, Christian wrote: > All hairsplitting aside, given that the term NAT these days is mostlyused> in a PAT (particularly in a customer connecting to the I) context, what > isn't secure about? mangling the header doesn't provide any security, and if you believe it does, do the following exercise:Mangling the header does not, but the stateful inspection and blocking used by a dynamic NAT/NAPT certainly does.
The point is that the stateful inspection/blocking can be achieved without NAT/PAT/NAPT.
A stateful filter that is automatically populated by traffic originatedfromthe private side is what is providing 'security'. That function existed in routers long before NAT was specified by the IETF (see RFC1044 for vendor).True. But consumers can't buy a RFC1044 device off the shelf today; what they can buy are generic NAT/NAPT devices which provide a minimal firewalling function _iff_ the user doesn't intentionally create holes. While it'd be nice if these devices didn't _require_ NAT/NAPT for their minimal operating mode, that's the configuration that is most likely to work in the setting it's intended for.
I'm not sure about RFC1044, but, it's relatively easy to buy lots of devices that will do stateful inspection without NAT off the shelf. Any version of *NIX with iptables or ipchains, some Cisco routers, Various Checkpoint software products, Cyberguard firewalls, Nokia, Sonic, Netscreen, NetGuard, and others all support Stateful inspection with or without NAT/PAT/NAPT. There is NO security benefit to NAT/PAT/NAPT. There is a security benefit to stateful inspection. NAT is harmful to many protocols. Stateful inspection is not. Owen -- If it wasn't signed, it probably didn't come from me.
Attachment:
_bin
Description:
Current thread:
- Re: IPv6 NAT Michael . Dillon (Oct 30)
- Re: IPv6 NAT Owen DeLong (Oct 30)
- Re: IPv6 NAT Stephen Sprunk (Oct 30)
- Re: IPv6 NAT Scott McGrath (Oct 31)
- RE: IPv6 NAT Tony Hain (Oct 31)
- Re: IPv6 NAT Scott McGrath (Oct 31)
- <Possible follow-ups>
- RE: IPv6 NAT Kuhtz, Christian (Oct 30)
- RE: IPv6 NAT Tony Hain (Oct 30)
- Re: IPv6 NAT Stephen Sprunk (Oct 31)
- Re: IPv6 NAT Owen DeLong (Oct 31)
- Re: IPv6 NAT Patrick W. Gilmore (Oct 31)
- Re: IPv6 NAT Joe Abley (Oct 31)
- Re: IPv6 NAT Eliot Lear (Oct 31)
- Re: IPv6 NAT Owen DeLong (Oct 31)
- Re: IPv6 NAT Paul Timmins (Oct 31)
- RE: IPv6 NAT Tony Hain (Oct 30)