Re: IPv6 uptake (was: The Reg does 240/4)

[Ryan Hamel <ryan () rkhtech org>]

Again Bill, the NAT process layer is not involved in dropping unwanted traffic until the packet is at least four/five 
levels deep. On ingress, a firewall will check if there is any flow/stream associated to it, ensure the packet follows 
the applicable protocol state machine, process it against the inbound interface rules, do any DPI rule processing, THEN 
NAT lookup, and egress routing + ACLs on the outbound ACL. 
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

On a standard LAN -> WAN firewall configured with a single public IPv4 IP; your protection comes from the connect 
state/flow tables primarily. No one would be touching NAT configurations at the same rate as zone and policy 
configurations, unless it's for complex VPN setups. Using NAT as a defense in depth strategy against deploying v6 is 
only hurting yourself. I have yet to come across an enterprise that uses it between internal VLANs or policies/zones, 
where the same threat potential can be, especially in a DMZ.

Ryan Hamel

________________________________
From: NANOG <nanog-bounces+ryan=rkhtech.org () nanog org> on behalf of William Herrin <bill () herrin us>
Sent: Friday, February 16, 2024 8:03 PM
To: John R. Levine <johnl () iecc com>
Cc: nanog () nanog org <nanog () nanog org>
Subject: Re: IPv6 uptake (was: The Reg does 240/4)

Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments.


On Fri, Feb 16, 2024 at 7:41 PM John R. Levine <johnl () iecc com> wrote:
> > That it's possible to implement network security well without using
> > NAT does not contradict the claim that NAT enhances network security.
>
> I think we're each overgeneralizing from our individual expeience.
>
> You can configure a V6 firewall to be default closed as easily as you can
> configure a NAT.

Hi John,

We're probably not speaking the same language. You're talking about
configuring the function of one layer in a security stack. I'm talking
about adding or removing a layer in a security stack. Address
overloaded NAT in conjunction with private internal addresses is an
additional layer in a security stack. It has security-relevant
properties that the other layers don't duplicate. Regardless of how
you configure it.

Also, you can't "configure" a layer to be default closed. That's a
property of the security layer. It either is or it is not.

You can configure a layer to be "default deny," which I assume is what
you meant. The issue is that anything that can be configured can be
accidentally unconfigured. When default-deny is accidentally
unconfigured, the network becomes wide open. When NAT is accidentally
unconfigured, the network stops functioning entirely. The gate is
closed.

Regards,
Bill Herrin


--
William Herrin
bill () herrin us
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbill.herrin.us%2F&data=05%7C02%7Cryan%40rkhtech.org%7C0de6c54d274c4b231dc608dc2f6dc319%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C638437395698409506%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=k19sefOjlCNOBGbiAmhzcFszrOEhf8SQQfs0MQThyaU%3D&reserved=0<https://bill.herrin.us/>