Re: IPv6 support in firewalls

["Patrick M. Hausen" <hausen () punkt de>]

Hi!

On Mon, Aug 27, 2007 at 01:24:54PM -0400, Dave Piscitello wrote:

> > First you should not rely on NAT as a security measure, anyway,
> > because it isn't.
>
>  I advocate using every measure possible to provide security. IP masquerading 
>  helps thwart information gathering. I would never suggest using NAT as the 
>  only security measure. By IP masquerading, I avoid having a RIR identify the 
>  address blocks I use internally, as they would if I were to use public 
>  space. Explain why you feel this is wrong?

I don't feel this is wrong, I think good security practice
should be to make it unnecessary by design. The security
of a cipher should not depend on the secrecy of the algorithm.

The security of a network should not depend on the secrecy of
the structure, because sooner or later secrets will be no longer.

A bit of social engineering, a fired insider, ... holds for
ciphers and for networks, IMHO. And I mean *should* as in
RFC language, not as in common English ;-)

> > Third, this is the _only_ way to get rid of the "net 10 considered
> > harmful" nightmare 
>
> It's only a nightmare for people who do not exercise discipline
> in assigning addresses.

OK, so please hand me a list of the RFC 1918 networks of all
third parties that I will need to connect to in the next ten
years. Your crystal ball seems to be working a lot better than
mine ;-)) No insult intended, honestly, but I don't buy the
"discipline" argument. Different enterprises need to connect
as business dictates, possibly tomorrow. And double NATing
and proxying makes things worse, not better.

As I said, SAP is already using addresses from their RIPE assigned
allocation for their strictly internal VPN connections to customers.
That would be "Oracle" for you American guys ;-) Biggest German
software company ...

> I could just as easily err with public addresses and assign the 
> same block of addresses to multiple sites.

Yes you can. But then it's your fault. And if the successor of
the successor for your former position gets it wrong, then either
you or the first successor did not document properly.

But the addresses of arbitraty peers are strictly outside of
my control ...

Uniqe addresses for every single device. You can still hide
them behind a proxy if you feel like it. That's the additional
benefit. You can decide which hosts to expose and which ones
to hide. With at least a /48 assigned to every end user, there's
plenty of maneuver room.

Compare that to an IPv4 /29 for your uplink and all of a sudden a
7th department wants a server with port 80 exposed to the
Internet.

> > IMHO theses are the combined reasons to start over and
> > kill NAT forever.
>
>  Won't happen in my lifetime, nor my childrens' lifetime.

Time will tell ;-) I won't bet more than, say, a cask of
beer on my position, but I strongly feel like it was
The Right Thing [tm] and NAT was a cheap hack that has
been far too successful.

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info () punkt de       http://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards