RE: misunderstanding scale

["Naslund, Steve" <SNaslund () medline com>]

I think it would be just as easy to claim that breaking the end-to-end model is more of a security concern that lack of 
NAT.  Having the NAT is essentially condoning a permanent man-in-the-middle.  A lot of customers do believe that NAT 
adds to their security.  I would advise them however that it probably offers a lot less than they think.  It is a very 
common technique get an inside computer to establish a connection out to a bad host.  That's how most of the malware 
today works (through the "extra layer of defense that NAT provides),so I am not seeing how much worse IPv6 would make 
things.  If you are going to allow inbound connections to your internal machines from anywhere you are unsecure.  How 
hard is it to block inbound connections with a firewall?  If the user cannot accomplish that then there is not much we 
can do to save them.

I suppose NAT could add some sort of minimal additional assurance but if you cannot pull off a simple firewall or 
routing policy you are already unable to adequately secure your network.

I see no technical reason that someone could not implement a transparent proxy whether it is v4 or v6.  It does not 
really violate the end-to-end model because the proxy connects to the remote system and the local system connects to 
the proxy so there really is not an end-to-end connection as much as there are two separate connections.  For that 
matter, is there really a technical reason that you could not do a NAT if you wanted to with IPv6?  All we are really 
talking about here is replacing one address with another.  Could you not get something similar by translating a 
routable IPv6 address to a link local address?  I don't think I would want to but I suppose you could if you are really 
married to NAT and private addressing.

I, for one, will not miss NAT very much.  I have seen quite a few misconfigured NATs and holes being punched through 
firewalls because applications don't like NATs to believe that they are at least as much trouble as they are worth as a 
security feature.

Steven Naslund

-----Original Message-----
From: William Herrin [mailto:bill () herrin us] 
Sent: Monday, March 24, 2014 11:21 AM
To: Karl Auer
Cc: nanog () nanog org
Subject: Re: misunderstanding scale

On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer () biplane com au> wrote:
> Addressable is not the same as
> accessible; routable is not the same as routed.

Indeed. However, all successful security is about _defense in depth_.
If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely 
inaccessible and unrouted you have two.

Regards,
Bill Herrin


--
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004