Re: IPv6 uptake (was: The Reg does 240/4)

[Michael Thomas <mike () mtcc com>]

On 2/16/24 6:33 PM, William Herrin wrote:
> On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel <ryan () rkhtech org> wrote:
> > Depending on where that rule is placed within your ACL, yes that can happen with *ANY* address family.
> Hi Ryan,
>
> Correct. The examples illustrated a difference between a firewall
> implementing address-overloaded NAT and a firewall implementing
> everything except the address translation. Either example could be
> converted to the other address family and it would work the same way.
>
> > All things aside, I agree with Dan that NAT was never
> > ever designed to be a security tool. It is used because
> > of the scarcity of public address space, and it provides
> > a "defense" depending on how it is implemented, with
> > minimal effort. This video tells the story of NAT and the
> > Cisco PIX, straight from the creators
> > https://youtu.be/GLrfqtf4txw
> NAT's story, the modern version of NAT when we talk about IPv4
> firewalls, started in the early '90s with the Gauntlet firewall. It
> was described as a transparent application layer gateway. Gauntlet
> focused on solving enterprise security issues. Gauntlet's technology
> converged with what was then 1:1 NAT to produce the address-overloaded
> NAT like what later appeared in the Cisco PIX (also first and foremost
> a security product) and is present in all our DSL and cable modems
> today.
>
> Security came first, then someone noticed it'd be useful for address
> conservation too. Gauntlet's customers generally had or could readily
> get a supply of public IP addresses. Indeed, when Gauntlet was
> released, IP addresses were still available from
> hostmaster () internic net at zero cost and without any significant
> documentation. And Gauntlet was expensive: folks who couldn't easily
> obtain public IP addresses also couldn't afford it.

Funny, I don't recall Bellovin and Cheswick's Firewall book discussing 
NAT. That was sort of the go-to book for hard-on-the-outside 
soft-on-the-inside defense. Maybe they were unaware of this, or maybe 
they didn't agree with the premise. I didn't hear about NAT until the 
late 90's, iirc. I've definitely not heard of Gauntlet.

As I recall, it was very much an afterthought with cable/DOCSIS to use 
NAT to conserve addresses. The headend DHCP server just gave public 
addresses to whoever asked. DOCSIS CPE at that time was just an L2 
modem. NAT traversal absolutely was not on the table with Packetcable 
back in the late 90's, and believe me we were very concerned about the 
security of MGCP since it was UDP based.

Which is to say that NAT came around to preserve address space. Any 
security properties were sort of a post-hoc rationalization and hotly 
debated given all the things NAT broke.

Mike