nanog mailing list archives
Re: Redploying most of 127/8 as unicast public
From: William Herrin <bill () herrin us>
Date: Sun, 21 Nov 2021 14:09:29 -0800
On Sat, Nov 20, 2021 at 7:16 PM Owen DeLong via NANOG <nanog () nanog org> wrote:
This is a common fallacy… The real concept here isn’t “universal reachability”, but universal transparent addressing. Policy then decides about reachability. Think stateful firewall without NAT. If you want to allow the incoming connection, you simply permit it rather than having to set up some sort of convoluted port forward. You can allow open access to a hardened host entirely, or you can open specific ports. What you don’t have to do is carefully map a limited number of external ports to each be forwarded to a particular port on a particular internal destination host because you aren’t recycling the one and only public address that all the incoming packets have to first land on, each host has its own address that you can simply enable. So again, how is port forwarding better than this? (it isn’t).
Hi Owen, This has been hashed and rehashed on this group about a gajillion times but for the sake of those who are new: Firewalls are programmed by people. People make mistakes. Lots of mistakes. 1:1 stateful firewalls and 1:many stateful firewalls (NAT) behave differently in the face of those mistakes. When 1:1 stateful firewalls are mistakenly told to pass all traffic they faithfully do so exposing unhardened hosts directly to the Internet. When 1:many stateful firewalls (NAT) are mistakenly told to pass all traffic they can't do so. They don't have enough information to decide which interior host to send a packet to so they simply break. One fails as a security perimeter breach. The other fails as a system down. Pick which security posture you prefer but they're very much not the same. A knocked over fence versus a lost padlock key and well into the zombie apocalypse. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: Redploying most of 127/8 as unicast public, (continued)
- Re: Redploying most of 127/8 as unicast public Masataka Ohta (Nov 19)
- Re: Redploying most of 127/8 as unicast public Måns Nilsson (Nov 20)
- Re: Redploying most of 127/8 as unicast public Matthew Walster (Nov 20)
- Re: Redploying most of 127/8 as unicast public Måns Nilsson (Nov 20)
- Re: Redploying most of 127/8 as unicast public Matthew Walster (Nov 20)
- Re: Redploying most of 127/8 as unicast public Måns Nilsson (Nov 20)
- Re: Redploying most of 127/8 as unicast public Owen DeLong via NANOG (Nov 20)
- Re: Redploying most of 127/8 as unicast public Joe Maimon (Nov 20)
- Re: Redploying most of 127/8 as unicast public Måns Nilsson (Nov 21)
- Re: Redploying most of 127/8 as unicast public Owen DeLong via NANOG (Nov 21)
- Re: Redploying most of 127/8 as unicast public William Herrin (Nov 21)
- Re: Redploying most of 127/8 as unicast public Owen DeLong via NANOG (Nov 20)
- Re: Redploying most of 127/8 as unicast public Matthew Walster (Nov 20)
- Re: Redploying most of 127/8 as unicast public Owen DeLong via NANOG (Nov 20)
- Re: Redploying most of 127/8 as unicast public Francis Booth via NANOG (Nov 23)
- Re: fun with TLDs and captive portals was, Redploying most of 127/8 as unicast public John Levine (Nov 23)
- Re: Redploying most of 127/8 as unicast public Masataka Ohta (Nov 20)
- Re: Redploying most of 127/8 as unicast public Måns Nilsson (Nov 20)
- Re: Redploying most of 127/8 as unicast public Masataka Ohta (Nov 20)
- Re: Redploying most of 127/8 as unicast public Chris Adams (Nov 20)
- Class D addresses? was: Redploying most of 127/8 as unicast public Michael Thomas (Nov 20)