nanog mailing list archives
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
From: James Hess <mysidia () gmail com>
Date: Tue, 27 Apr 2010 18:36:32 -0500
On Tue, Apr 27, 2010 at 4:25 PM, Jon Lewis <jlewis () lewis org> wrote:
breaks. i.e. they'll know its broken. When they change the default policy on the firewall to Accept/Allow all, everything will still work...until all their machines are infected with enough stuff to break them.
The same is true with IPv4 + NAT, in terms of real-world net security. Because security attacks against end-user equipment commonly come from either an e-mail message the user is expected to errantly click on, or a malicious website, designed to exploit the latest $MsOffice_Acrobat_Javascript_OR_Flash_Vuln_DU_Jour. If user accidentally turns off their outbound filtering software, even the IPv4 user behind a NAT setup still have a pretty bad security posture. Fortunately, the IPv6 address space is so large and sparse, that scanning it would be quite a feat, even if a random outside attacker already knew for a fact that a certain /64 probably contains a vulnerable host. Scanning IPv6 addresses by brute force, is as computationally hard as figuring out the 16-bit port number pairs of an IPv4 NAT user's open connection, in order to fool their NAT device and partially hijack the user's HTTP connection and inject malicious code into their stream. By the way, if an attacker actually can figure out the port number pairs of a session recognized by the NAT device, the illusion of "security" offered by the NAT setup potentially starts to crumble.... either way it's 32-bits to be guessed within a fairly limited timeframe. -- -J
Current thread:
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?, (continued)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Nick Hilliard (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Valdis . Kletnieks (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Jon Lewis (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Valdis . Kletnieks (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Jon Lewis (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Valdis . Kletnieks (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Jon Lewis (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Bill Stewart (Apr 29)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Mark Smith (Apr 30)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? James Hess (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Matthew Kaufman (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Adrian Chadd (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Mark Andrews (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Matthew Kaufman (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Matthew Kaufman (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? John R. Levine (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Dave Israel (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Mark Smith (Apr 28)