Firewall Wizards mailing list archives
Re: IPv6 support in firewalls
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 27 Aug 2007 20:47:18 +0200
Hi! On Mon, Aug 27, 2007 at 01:24:54PM -0400, Dave Piscitello wrote:
First you should not rely on NAT as a security measure, anyway, because it isn't.I advocate using every measure possible to provide security. IP masquerading helps thwart information gathering. I would never suggest using NAT as the only security measure. By IP masquerading, I avoid having a RIR identify the address blocks I use internally, as they would if I were to use public space. Explain why you feel this is wrong?
I don't feel this is wrong, I think good security practice should be to make it unnecessary by design. The security of a cipher should not depend on the secrecy of the algorithm. The security of a network should not depend on the secrecy of the structure, because sooner or later secrets will be no longer. A bit of social engineering, a fired insider, ... holds for ciphers and for networks, IMHO. And I mean *should* as in RFC language, not as in common English ;-)
Third, this is the _only_ way to get rid of the "net 10 considered harmful" nightmareIt's only a nightmare for people who do not exercise discipline in assigning addresses.
OK, so please hand me a list of the RFC 1918 networks of all third parties that I will need to connect to in the next ten years. Your crystal ball seems to be working a lot better than mine ;-)) No insult intended, honestly, but I don't buy the "discipline" argument. Different enterprises need to connect as business dictates, possibly tomorrow. And double NATing and proxying makes things worse, not better. As I said, SAP is already using addresses from their RIPE assigned allocation for their strictly internal VPN connections to customers. That would be "Oracle" for you American guys ;-) Biggest German software company ...
I could just as easily err with public addresses and assign the same block of addresses to multiple sites.
Yes you can. But then it's your fault. And if the successor of the successor for your former position gets it wrong, then either you or the first successor did not document properly. But the addresses of arbitraty peers are strictly outside of my control ... Uniqe addresses for every single device. You can still hide them behind a proxy if you feel like it. That's the additional benefit. You can decide which hosts to expose and which ones to hide. With at least a /48 assigned to every end user, there's plenty of maneuver room. Compare that to an IPv4 /29 for your uplink and all of a sudden a 7th department wants a server with port 80 exposed to the Internet.
IMHO theses are the combined reasons to start over and kill NAT forever.Won't happen in my lifetime, nor my childrens' lifetime.
Time will tell ;-) I won't bet more than, say, a cask of beer on my position, but I strongly feel like it was The Right Thing [tm] and NAT was a cheap hack that has been far too successful. Kind regards, Patrick M. Hausen Leiter Netzwerke und Sicherheit -- punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info () punkt de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IPv6 support in firewalls, (continued)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls ArkanoiD (Aug 28)
- Re: IPv6 support in firewalls Darren . Reed (Aug 28)
- Re: IPv6 support in firewalls ArkanoiD (Aug 29)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 29)
- Re: IPv6 support in firewalls ArkanoiD (Aug 29)
- Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
- Re: ***SPAM*** Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
- Re: IPv6 support in firewalls Paul Melson (Aug 23)