nanog mailing list archives

Re: Arguing against using public IP space

From: William Herrin <bill () herrin us>
Date: Mon, 14 Nov 2011 14:32:24 -0500

On Mon, Nov 14, 2011 at 1:50 PM, McCall, Gabriel
<Gabriel.McCall () thyssenkrupp com> wrote:

Chuck, you're right that this should not happen- but
the reason it should not happen is because you have
a properly functioning stateful firewall, not because
you're using NAT. If your firewall is working properly,
then having public addresses behind it is no less secure
than private. And if your firewall is not working properly,
then having private addresses behind it is no
more secure than public. In either case, NAT gains
you nothing over what you'd have with a firewalled
public-address subnet.

The fact that consumer cpe's typically do both nat
and stateful firewalling does not mean that those
functions are inseparable.


Gabriel,

This is not accurate.

First, many:1 NAT (sometimes also called PAT) is not separable from a
stateful firewall. You can build a stateful firewall without
many-to-one NAT but the reverse is not possible.

Second, while a security benefit from RFC 1918 addressing combined
with 1:1 NAT is dubious at best, the same is not true for the much
more commonly implemented many:1 NAT.

With RFC1918 plus many:1 NAT, most if not all functions of the
interior of the network are not addressable from far locations outside
the network, regardless of the correct or incorrect operation of the
security apparatus. This is an additional boundary which must be
bypassed in order to gain access to the network interior. While there
are a variety of techniques for circumventing this boundary no
combination of them guarantees successful breach. Hence it provides a
security benefit all on its own.

You would not rely on NAT+RFC1918 alone to secure a network and
neither would I. However, that's far from meaning that the use of
RFC1918 is never (or even rarely) operative in a network's security
process.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

Current thread:

Re: Arguing against using public IP space, (continued)
- - Re: Arguing against using public IP space Jimmy Hess (Nov 13)
    - Re: Arguing against using public IP space David Walker (Nov 13)
    - Re: Arguing against using public IP space Jimmy Hess (Nov 13)
  - Re: Arguing against using public IP space William Herrin (Nov 13)
    - Re: Arguing against using public IP space Phil Regnauld (Nov 13)
    - Re: Arguing against using public IP space Doug Barton (Nov 13)
    - RE: Arguing against using public IP space Chuck Church (Nov 13)
    - Re: Arguing against using public IP space Phil Regnauld (Nov 13)
    - RE: Arguing against using public IP space Chuck Church (Nov 13)
    - RE: Arguing against using public IP space McCall, Gabriel (Nov 14)
    - Re: Arguing against using public IP space William Herrin (Nov 14)
    - Re: Arguing against using public IP space Owen DeLong (Nov 15)
    - Re: Arguing against using public IP space Leigh Porter (Nov 15)
    - Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
    - RE: Arguing against using public IP space Chuck Church (Nov 15)
    - Re: Arguing against using public IP space Leigh Porter (Nov 15)
    - Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
    - Re: Arguing against using public IP space William Herrin (Nov 15)
    - Re: Arguing against using public IP space -Hammer- (Nov 15)
    - Re: Arguing against using public IP space Cameron Byrne (Nov 15)
    - Re: Arguing against using public IP space -Hammer- (Nov 15)

(Thread continues...)