nanog mailing list archives
Re: IPv6 uptake (was: The Reg does 240/4)
From: Ryan Hamel <ryan () rkhtech org>
Date: Sat, 17 Feb 2024 07:43:42 +0000
Again Bill, the NAT process layer is not involved in dropping unwanted traffic until the packet is at least four/five levels deep. On ingress, a firewall will check if there is any flow/stream associated to it, ensure the packet follows the applicable protocol state machine, process it against the inbound interface rules, do any DPI rule processing, THEN NAT lookup, and egress routing + ACLs on the outbound ACL. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html On a standard LAN -> WAN firewall configured with a single public IPv4 IP; your protection comes from the connect state/flow tables primarily. No one would be touching NAT configurations at the same rate as zone and policy configurations, unless it's for complex VPN setups. Using NAT as a defense in depth strategy against deploying v6 is only hurting yourself. I have yet to come across an enterprise that uses it between internal VLANs or policies/zones, where the same threat potential can be, especially in a DMZ. Ryan Hamel ________________________________ From: NANOG <nanog-bounces+ryan=rkhtech.org () nanog org> on behalf of William Herrin <bill () herrin us> Sent: Friday, February 16, 2024 8:03 PM To: John R. Levine <johnl () iecc com> Cc: nanog () nanog org <nanog () nanog org> Subject: Re: IPv6 uptake (was: The Reg does 240/4) Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. On Fri, Feb 16, 2024 at 7:41 PM John R. Levine <johnl () iecc com> wrote:
That it's possible to implement network security well without using NAT does not contradict the claim that NAT enhances network security.I think we're each overgeneralizing from our individual expeience. You can configure a V6 firewall to be default closed as easily as you can configure a NAT.
Hi John, We're probably not speaking the same language. You're talking about configuring the function of one layer in a security stack. I'm talking about adding or removing a layer in a security stack. Address overloaded NAT in conjunction with private internal addresses is an additional layer in a security stack. It has security-relevant properties that the other layers don't duplicate. Regardless of how you configure it. Also, you can't "configure" a layer to be default closed. That's a property of the security layer. It either is or it is not. You can configure a layer to be "default deny," which I assume is what you meant. The issue is that anything that can be configured can be accidentally unconfigured. When default-deny is accidentally unconfigured, the network becomes wide open. When NAT is accidentally unconfigured, the network stops functioning entirely. The gate is closed. Regards, Bill Herrin -- William Herrin bill () herrin us https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbill.herrin.us%2F&data=05%7C02%7Cryan%40rkhtech.org%7C0de6c54d274c4b231dc608dc2f6dc319%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C638437395698409506%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=k19sefOjlCNOBGbiAmhzcFszrOEhf8SQQfs0MQThyaU%3D&reserved=0<https://bill.herrin.us/>
Current thread:
- Re: IPv6 uptake, (continued)
- Re: IPv6 uptake Michael Thomas (Feb 18)
- Re: IPv6 uptake Nick Hilliard (Feb 18)
- Re: IPv6 uptake John Levine (Feb 18)
- RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 18)
- Re: IPv6 uptake (was: The Reg does 240/4) John Levine (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) John R. Levine (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Ryan Hamel (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Justin Streiner (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Steven Sommars (Feb 18)
- Re: IPv6 uptake Stephen Satchell (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Tom Beecher (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)