On Thu, Feb 03, 2011 at 12:23:54AM -0500, Jay Ashworth wrote:
----- Original Message -----
From: "Matthew Palmer" <mpalmer@hezmatt.org> Now, if you decide that none of those applications are important to you, sure, you can firewall them off as appropriate. But the pervasive deployment of NAT means that the set of problems that can be solved is constrained, and of the problems that *can* be solved, the solutions tend to be more complicated, harder to implement, understand, and so on, which has a cost to the community (higher prices, less solved problems, whatever your desired metric may be). I think that's what Blake is getting at with his TotC.
Perhaps. I'm not sure that the collective importance of that difficulty outweighs the collective danger of making all nodes of the Internet *as it presently exists* publicly routable.
Well, technically, nodes aren't routable, addresses are... and I don't even see any danger in the mere existence of a valid route to a host. The danger exists when that host is not sufficiently secured (be it via firewall, sensible configuration, whatever).
I don't know whether it's occurred to people that if you make every node on the present day Internet routable, then *you've made every node on the present day Internet routable*; the number of machines subject to more or less direct attack goes up (by a jackleg estimate I've just now made up) by between 3 and 5 orders of magnitude.
I make jackleg estimates all the time; I don't believe I've ever had to say "5 orders of magnitude".
I'm willing to bet you're being deeply optimistic (pessimistic?) with that estimate; if your estimate were accurate, it would mean that for every publically addressed device there are between 1,000 and 100,000 privately addressed nodes. I *really* don't think that's plausible. At any rate, I think the days of severely broken IP stacks and "spectacularly insecure by default" OS installations are largely behind us; the security battle for the "client endpoint" has moved to client-initiated attacks, which are unhindered by NAT, firewalling, or any other "layer-respecting" network security device.
Of course, I'm a tiny bit of a skeptic, as I really can't see how a stateful firewall can know which other connections / packets are related without a lot of the same dodgy shenanigans that goes on now, but at least if you've gotten rid of the 1-to-N address mangling a fundamental stumbling block is removed and people can get on and solve the remaining (tractable) problems.
That is problematic as well, isn't it?
It is, but at least it's a problem that has a hope of being solved.
It speaks directly to the attack-surface comment I just made in another reply.
I can't see how. - Matt -- "For once, Microsoft wasn't exaggerating when they named it the 'Jet Engine' -- your data's the seagull." -- Chris Adams