nanog mailing list archives
Re: Failure modes: NAT vs SPI
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Mon, 7 Feb 2011 09:50:55 +0100
On 4 feb 2011, at 22:02, Dave Cardwell wrote:
Without wanting to get into whether NAT provides security to hosts that exist on the inside. I am curious if the potential to overflow ND caches with incomplete* entries exists on currently shipping CPE hardware and if NAT helps prevent this?
e.g. In v4 with a /24 on the inside an attacker can send a single packet to each consecutive address causing at most 254 arp requests to be sent on the lan segment and upto 253 incomplete entries, until they timeout. In v6 with a /64 on the inside it seems like the same tactic would lead to more outstanding ND requests than any realistically sized cache would support.
Ok, I had a hard time making up my mind whether a sarcastic or a factual response was in order... This is of course a very big problem, and one of the reasons why everyone who's tried IPv6 immediately turns it off again: script kiddies are continuously scanning the entire IPv6 address space so this happens to regular IPv6 users all the time. Since this is a problem that is inherent to the ND protocol that is impossible to fix without modifying the IPv6 standards significantly, the easiest way to solve this with the least amount of impact to applications, the ability to host services and the end-to-end model in particular is to use a single public IPv6 address and NAT all local stuff behind it. (BTW, there have been some discussions on NAT66 in the IETF, but that wouldn't be a port overloading 1-to-many NAT, but rather a 1-to-1 NAT, because with IPv6, there obviously isn't any reason to use address sharing. The thinking is that such a 1-to-1 NAT is less harmful than a port overloading 1-to-many NAT so it would be beneficial to specify the former to avoid the latter. But many people within the IETF don't support that strategy.)
Current thread:
- RE: quietly...., (continued)
- RE: quietly.... Lee Howard (Feb 06)
- Re: quietly.... isabel dias (Feb 06)
- Re: quietly.... Owen DeLong (Feb 06)
- Re: quietly.... Valdis . Kletnieks (Feb 04)
- Re: quietly.... Blake Dunlap (Feb 04)
- Re: quietly.... Jay Ashworth (Feb 04)
- Re: quietly.... Jack Bates (Feb 03)
- Re: quietly.... david raistrick (Feb 03)
- Failure modes: NAT vs SPI Jay Ashworth (Feb 03)
- Re: Failure modes: NAT vs SPI Iljitsch van Beijnum (Feb 03)
- Message not available
- Re: Failure modes: NAT vs SPI Iljitsch van Beijnum (Feb 07)
- Re: Failure modes: NAT vs SPI Owen DeLong (Feb 07)
- Re: Failure modes: NAT vs SPI Lamar Owen (Feb 10)
- Re: Failure modes: NAT vs SPI Owen DeLong (Feb 10)
- Re: Failure modes: NAT vs SPI Joel Jaeggli (Feb 10)
- Re: Failure modes: NAT vs SPI Jay Ashworth (Feb 07)
- Re: Failure modes: NAT vs SPI Valdis . Kletnieks (Feb 07)
- Re: Failure modes: NAT vs SPI Jack Bates (Feb 07)
- Re: Failure modes: NAT vs SPI Iljitsch van Beijnum (Feb 07)
- Re: quietly.... Iljitsch van Beijnum (Feb 03)
- Re: quietly.... Jon Lewis (Feb 03)