nanog mailing list archives
Re: IPv6 uptake (was: The Reg does 240/4)
From: Ryan Hamel <ryan () rkhtech org>
Date: Sat, 17 Feb 2024 02:10:18 +0000
sronan, A subnet can come from the ISP (residential/small business), or business is utilizing BGP with their upstream. When V6 is in use, a firewall does not need to perform NAT, just stateful flow inspection and applying the applicable rules based on the zone and/or interface. Bill, Depending on where that rule is placed within your ACL, yes that can happen with *ANY* address family. --- All things aside, I agree with Dan that NAT was never ever designed to be a security tool. It is used because of the scarcity of public address space, and it provides a "defense" depending on how it is implemented, with minimal effort. This video tells the story of NAT and the Cisco PIX, straight from the creators https://youtu.be/GLrfqtf4txw Ryan Hamel ________________________________ From: NANOG <nanog-bounces+ryan=rkhtech.org () nanog org> on behalf of sronan () ronan-online com <sronan () ronan-online com> Sent: Friday, February 16, 2024 5:44 PM To: William Herrin <bill () herrin us> Cc: nanog () nanog org <nanog () nanog org> Subject: Re: IPv6 uptake (was: The Reg does 240/4) Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. Why is your Internal v6 subnet advertised to the Internet?
On Feb 16, 2024, at 8:08 PM, William Herrin <bill () herrin us> wrote: On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas <mike () mtcc com> wrote:If you know which subnets need to be NAT'd don't you also know which ones shouldn't exposed to incoming connections (or conversely, which should be permitted)? It seems to me that all you're doing is moving around where that knowledge is stored? Ie, DHCP so it can give it private address rather than at the firewall knowing which subnets not to allow access? Yes, DHCP can be easily configured to make everything private, but DHCP for static reachable addresses is pretty handy too.Hi Mike, Suppose I have a firewall at 2602:815:6000::1 with an internal network of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a switch that accepts telnet connections with a user/password of admin/admin. On the firewall, I program it to disallow all Internet packets to 2602:815:6001::/64 that are not part of an established connection. Someone tries to telnet to 2602:815:6001::4. What happens? Blocked. Now, I make a mistake on my firewall. I insert a rule intended to allow packets outbound from 2602:815:6001::4 but I fat-finger it and so it allows them inbound to that address instead. Someone tries to telnet to 2602:815:6001::4. What happens? Hacked. Now suppose I have a firewall at 199.33.225.1 with an internal network of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch that accepts telnet connections with a user/password of admin/admin. On the firewall, I program it to do NAT translation from 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which also has the effect of disallowing inbound packets to 192.168.55.0/24 which are not part of an established connection. Someone tries to telnet to 192.168.55.4. What happens? The packet never even reaches my firewall because that IP address doesn't go anywhere on the Internet. Now I make a mistake on my firewall. I insert a rule intended to allow packets outbound from 192.168.55.4 but I fat-finger it and so it allows them inbound to that address instead. Someone tries to telnet to 192.168.55.4. What happens? The packet STILL doesn't reach my firewall because that IP address doesn't go anywhere on the Internet. See the difference? Accessible versus accessible and addressable. Not addressable enhances security. Regards, Bill Herrin -- William Herrin bill () herrin us https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbill.herrin.us%2F&data=05%7C02%7Cryan%40rkhtech.org%7C5672986956c34e345fd208dc2f5a571c%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C638437312255883842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=iuKWxWts%2B9buTCz318C7hz6DbuWSST%2FKPZAWbbhSj8Q%3D&reserved=0<https://bill.herrin.us/>
Current thread:
- Re: IPv6 uptake (was: The Reg does 240/4), (continued)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) sronan (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Ryan Hamel (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Brandon Butterworth (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Greg Skinner via NANOG (Feb 18)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 18)
- Re: IPv6 uptake Nick Hilliard (Feb 18)
- Re: IPv6 uptake Michael Thomas (Feb 18)
- Re: IPv6 uptake Nick Hilliard (Feb 18)
- Re: IPv6 uptake Michael Thomas (Feb 18)