NAT also has the advantage that if packets do leak bogon filters at the border will drop them.
NAT is simply an algorithm which causes a firewall to drop all traffic which doesn't match an entry in a set of internal state tables. The NAT algorithm sets up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static NAT mappings. This algorithm can be implemented in a trivial piece of software that runs on cheap, low-power devices commonly used in things like DSL routers. The IPv6 folks are claiming that you can very easily implement the same type of algorithm on IPv6 routers to drop all traffic which doesn't match an entry in a set of internal state tables. The IPv6 algorithm would set up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static enabled addresses. The only difference is that the IPv6 device never changes the packet contents, i.e. never replaces source or destination addresses in the headers. The IPv6 version can still drop traffic and can still dynamically enable certain incoming traffic based upon detection of an outgoing TCP session starting up. It could even do port redirection if that was still useful to people. It could also allow operator configuration to enable incoming traffic to specific addresses. The IPv6 version would be just as secure as an IPv4 NAT device but it would not interfere with protocol functioning. Now, I'm not claiming that every device capable of IPv4 NAT is currently able to function in this way, but there are no technical barriers to prevent manufacturers from making IPv6 devices that function in this way. The IPv6 vendor marketing folks can even invent terms like NAT (Network Authority Technology) to describe this simple IPv6 firewall function, i.e. IPv6 NAT. It wouldn't be the first time that acronyms have been reinvented, e.g. RED, GSM. --Michael Dillon
In fact, Michael, there is no reason someone can't do everything you describe with IPv4 if they are using unique address space. Owen --On Thursday, October 30, 2003 3:22 PM +0000 Michael.Dillon@radianz.com wrote:
NAT also has the advantage that if packets do leak bogon filters at the border will drop them.
NAT is simply an algorithm which causes a firewall to drop all traffic which doesn't match an entry in a set of internal state tables. The NAT algorithm sets up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static NAT mappings.
This algorithm can be implemented in a trivial piece of software that runs on cheap, low-power devices commonly used in things like DSL routers.
The IPv6 folks are claiming that you can very easily implement the same type of algorithm on IPv6 routers to drop all traffic which doesn't match an entry in a set of internal state tables. The IPv6 algorithm would set up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static enabled addresses.
The only difference is that the IPv6 device never changes the packet contents, i.e. never replaces source or destination addresses in the headers. The IPv6 version can still drop traffic and can still dynamically enable certain incoming traffic based upon detection of an outgoing TCP session starting up. It could even do port redirection if that was still useful to people. It could also allow operator configuration to enable incoming traffic to specific addresses. The IPv6 version would be just as secure as an IPv4 NAT device but it would not interfere with protocol functioning.
Now, I'm not claiming that every device capable of IPv4 NAT is currently able to function in this way, but there are no technical barriers to prevent manufacturers from making IPv6 devices that function in this way. The IPv6 vendor marketing folks can even invent terms like NAT (Network Authority Technology) to describe this simple IPv6 firewall function, i.e. IPv6 NAT.
It wouldn't be the first time that acronyms have been reinvented, e.g. RED, GSM. --Michael Dillon
-- If it wasn't signed, it probably didn't come from me.
Now, I'm not claiming that every device capable of IPv4 NAT is currently able to function in this way, but there are no technical barriers to
Thus spake <Michael.Dillon@radianz.com> prevent
manufacturers from making IPv6 devices that function in this way. The IPv6 vendor marketing folks can even invent terms like NAT (Network Authority Technology) to describe this simple IPv6 firewall function, i.e. IPv6 NAT.
Or you could simply call it what it is -- a firewall -- since that's what most consumers think NAT is anyways. While I disagree with the general sentiment that NATs create security, the standard usage of such devices is certainly that of a stateful firewall. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
Agreed NAT's do not create security although many customers believe they do. NAT's _are_ extremely useful in hiding network topologies from casual inspection. What I usually recommend to those who need NAT is a stateful firewall in front of the NAT. The rationale being the NAT hides the topology and the stateful firewall provides the security boundary. Scott C. McGrath On Thu, 30 Oct 2003, Stephen Sprunk wrote:
Now, I'm not claiming that every device capable of IPv4 NAT is currently able to function in this way, but there are no technical barriers to
Thus spake <Michael.Dillon@radianz.com> prevent
manufacturers from making IPv6 devices that function in this way. The IPv6 vendor marketing folks can even invent terms like NAT (Network Authority Technology) to describe this simple IPv6 firewall function, i.e. IPv6 NAT.
Or you could simply call it what it is -- a firewall -- since that's what most consumers think NAT is anyways.
While I disagree with the general sentiment that NATs create security, the standard usage of such devices is certainly that of a stateful firewall.
S
Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
Scott McGrath wrote:
Agreed NAT's do not create security although many customers believe they do. NAT's _are_ extremely useful in hiding network topologies from casual inspection.
This is another bogus argument, and clearly you have not done the math on how long it takes to scan a /64 worth of subnet space. Start by assuming a /16 per second (which is well beyond what I have found as current technology) and see how long 2^48 seconds is.
What I usually recommend to those who need NAT is a stateful firewall in front of the NAT. The rationale being the NAT hides the topology and the stateful firewall provides the security boundary.
Obscuring the topology provides absolutely no security either. You are not alone, as it is frequently a recommended practice, but obscurity != security no matter how much it is sold as such. Tony
participants (5)
-
Michael.Dillon@radianz.com
-
Owen DeLong
-
Scott McGrath
-
Stephen Sprunk
-
Tony Hain