On 8-jul-2005, at 19:34, Fred Baker wrote:
A NAT, in that context, is a stateful firewall that changes the addresses, which means that the end station cannot use IPSEC to ensure that it is still talking with the same system on the outside. It is able to use TLS, SSH, etc as transport layer solutions, but those are subject to attacks on TCP such as RST attacks, data insertion, acknowledge hacking, and so on, and SSH also has a windowing problem (on top of TCP's window, SSH has its own window, and in large delay*bandwidth product situations SSH's window is a performance limit). In other words, a NAT is a man-in- the-middle attack, or is a device that forces the end user to expose himself to man-in-the-middle attacks.
:-)
A true stateful firewall that allows IPSEC end to end doesn't expose the user to those attacks.
I of course couldn't resist, so: ! ipv6 access-list out-ipv6-acl permit ipv6 any any reflect state-acl ! ipv6 access-list in-ipv6-acl evaluate state-acl deny ipv6 any any log ! (don't try this at home, kids: that deny any is dangerous because it blocks neighbor discovery) Unfortunately, IPsec (ESP transport mode) isn't allowed back in: %IPV6-6-ACCESSLOGNP: list in-ipv6-acl/20 denied 50 2001:1AF8:2:5::2 -
2001:1AF8:6:0:20A:95FF:FEF5:246E, 29 packets
On second thought: how could it? The SPIs for outgoing and incoming packets are different. I suppose it would be possible for the stateful filter to snoop the ISAKMP protocol and install filter rules based on the information found there, but that's obviously not what happens.