Re: misunderstanding scale

[Owen DeLong <owen () delong com>]

On Mar 24, 2014, at 10:35 AM, Laszlo Hanyecz <laszlo () heliacal net> wrote:

> On Mar 24, 2014, at 5:05 PM, "Patrick W. Gilmore" <patrick () ianai net> wrote:
>
> > On Mar 24, 2014, at 12:21, William Herrin <bill () herrin us> wrote:
> > > On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund () medline com> wrote:
> >
> > > > I am not sure I agree with the basic premise here.   NAT or Private addressing does not equal security.
> >
> > > Many of the folks you would have deploy IPv6 do not agree. They take
> > > comfort in the mathematical impossibility of addressing an internal
> > > host from an outside packet that is not part of an ongoing session.
> > > These folks find that address-overloaded NAT provides a valuable
> > > additional layer of security.
> > >
> > > Some folks WANT to segregate their networks from the Internet via a
> > > general-protocol transparent proxy. They've had this capability with
> > > IPv4 for 20 years. IPv6 poorly addresses their requirement.
>
> It's unfortunate that it is the way it is, but many enterprise people have this ingrained in them - they don't want 
> to be connected to the internet except for a few exceptions.  Just the fact that they can't ping their machines gives 
> them a warm and fuzzy.  In a run-of-the-mill default NAT setup, you can deploy a network printer with no security and 
> nobody from the internet can print to it.  It's default deny, even without setting anything else up, by virtue of not 
> being on the internet and not having an address.  I know there are ways to subvert a NAT but that applies to 
> perimeter and host firewalls too.  IPv6 global numbers are great for those of us that actually want to connect to the 
> internet, but enterprise people with rfc1918 numbering have gotten used to being disconnected, and while most of us 
> know that it's trivial to firewall IPv6, it's still a big jump from using a NAT/proxy to being 'on the internet'.  
> It's even more complex if it's only halfway and there are two different protocols to manage.

This mindset is why so many printers are delivering copies of everything printed to $badguy without the knowledge of 
many IT departments.

You may not be able to print to it, but really, if you had access to a random printer somewhere, how many people would 
really want to print to it?

In my experience, having had such a device on line as an experiment for several years, it’s a very small number. In 
more than 5 years with such a device on line with no NAT, no packet filter, nothing, only 3 print jobs came in from 
unauthorized users. Lots of other things were done to the printer to try and get it to do various things a printer just 
shouldn’t do.

Now, just having the printer behind NAT doesn’t prevent that, because likely someone who has access to the printer 
inside the organization will download some piece of malware that reprograms the printer as desired, eliminating the 
need to compromise the printer through the NAT.

> People will always resist change, and in this case, why should they change when it's only going to make their job 
> harder?  Makes sense to me, but I wish it weren't that way.  They will probably just find ways to proxy and NAT IPv6 
> too, so that it fits the IPv4 model with 'private' addresses.

I suppose it’s possible, but I think, so far, education actually seems to be making progress. Please don’t give up hope 
yet.

Owen