Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

[Stephen Sprunk <stephen () sprunk org>]

Matthew Moyle-Croft wrote:
> Stephen Sprunk wrote:
> > You must be very sheltered.  Most end users, even "security" folks at 
> > major corporations, think a NAT box is a firewall and disabling NAT 
> > is inherently less secure.  Part of that is factual: NAT (er, dynamic 
> > PAT) devices are inherently fail-closed because of their design, 
> > while a firewall might fail open.  Also, NAT prevents some 
> > information leakage by hiding the internal details of the site's 
> > network, and many folks place a high value on "security" through 
> > obscurity.  This is understandable, since the real threats -- 
> > uneducated users and flawed software -- are ones they have no power 
> > to fix.
> It's also worth pointing out that CPE for DSL often has really poor 
> stateful firewall code.  So often turning it off means less issues for 
> home users.

I assume you're referring to ALG code?  Indeed, I've found that turning 
off ALGs in NAT/FW boxes fixes a lot of problems, because every vendor's 
seem to be broken in a different way.  I deal mainly with SIP these 
days, and the first step in any sort of firewall-related troubleshooting 
is to turn _off_ any SIP ALG functionality in the CPE because 90% of the 
time, that's whats breaking things; the end devices can deal with NAT as 
long as there's nobody in the middle mangling their packets.  Ideally, 
ALGs would fix up the packets such that the endpoints didn't need to be 
NAT-aware, but they're all (and I mean all, not most) so hideously 
broken that they make things worse, not better.  They can't get even 
simple, fossilized protocols like active FTP working most of the time; 
there's no way they'll do better with newer, more complicated ones like 
SIP or the dizzying array of P2P and IM protocols.

> At least NAT gives some semblance of protection.  IPv6 without NAT 
> might be awesome to some, but the reality is CPE is built to a price 
> and decent firewall code is thin on the ground.  I'm not hopeful of it 
> getting better when IPv6 starts to become mainstream.

Non-NAT firewalls do have some appeal, because they don't need to mangle 
the packets, just passively observe them and open pinholes when 
appropriate.  However, to be safe the endpoints cannot assume any 
firewalls in the path are going to work properly, and the absence of NAT 
makes it tougher for endpoints to detect firewalls' presence and react 
as needed...

> (In case it's not clear - I'm not talking about enterprise stuff - I'm 
> talking about CPE for domestic DSL/Cable users - please don't tell me 
> all about how cool NetScreen/PIX/ASA/<insert favourite fw> is for 
> enterprise).

I've found the "enterprise" NAT/FW gear to be worse: they attempt to 
implement more ALGs, but they do no better a job at implementing them 
than the less-ambitious consumer vendors, so more things break.

S

--
Stephen Sprunk         "God does not play dice."  --Albert Einstein
CCIE #3723         "God is an inveterate gambler, and He throws the
K5SSS        dice at every possible opportunity." --Stephen Hawking

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature