nanog mailing list archives
Re: mh (RE: OMB: IPv6 by June 2008)
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Fri, 8 Jul 2005 20:58:53 +0200
On 8-jul-2005, at 19:34, Fred Baker wrote:
A NAT, in that context, is a stateful firewall that changes the addresses, which means that the end station cannot use IPSEC to ensure that it is still talking with the same system on the outside. It is able to use TLS, SSH, etc as transport layer solutions, but those are subject to attacks on TCP such as RST attacks, data insertion, acknowledge hacking, and so on, and SSH also has a windowing problem (on top of TCP's window, SSH has its own window, and in large delay*bandwidth product situations SSH's window is a performance limit). In other words, a NAT is a man-in- the-middle attack, or is a device that forces the end user to expose himself to man-in-the-middle attacks.
:-)
A true stateful firewall that allows IPSEC end to end doesn't expose the user to those attacks.
I of course couldn't resist, so: ! ipv6 access-list out-ipv6-acl permit ipv6 any any reflect state-acl ! ipv6 access-list in-ipv6-acl evaluate state-acl deny ipv6 any any log !(don't try this at home, kids: that deny any is dangerous because it blocks neighbor discovery)
Unfortunately, IPsec (ESP transport mode) isn't allowed back in:%IPV6-6-ACCESSLOGNP: list in-ipv6-acl/20 denied 50 2001:1AF8:2:5::2 - > 2001:1AF8:6:0:20A:95FF:FEF5:246E, 29 packets
On second thought: how could it? The SPIs for outgoing and incoming packets are different. I suppose it would be possible for the stateful filter to snoop the ISAKMP protocol and install filter rules based on the information found there, but that's obviously not what happens.
Current thread:
- Re: mh (RE: OMB: IPv6 by June 2008), (continued)
- Re: mh (RE: OMB: IPv6 by June 2008) Fergie (Paul Ferguson) (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Andre Oppermann (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Crist Clark (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Petri Helenius (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Crist Clark (Jul 07)
- Message not available
- Re: mh (RE: OMB: IPv6 by June 2008) Jay R. Ashworth (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) David Andersen (Jul 08)
- Message not available
- Re: mh (RE: OMB: IPv6 by June 2008) Jay R. Ashworth (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Crist Clark (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Andre Oppermann (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Fergie (Paul Ferguson) (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Fred Baker (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Iljitsch van Beijnum (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Crist Clark (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Sean Doran (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Sean Doran (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) David Andersen (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Daniel Senie (Jul 09)
- RE: mh (RE: OMB: IPv6 by June 2008) Tony Hain (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Steven M. Bellovin (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Sean Doran (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Joseph S D Yao (Jul 08)