Re: Security gain from NAT: Top 5
Mark Smith wrote:
For all those people who think IPv4 NAT is quite fine, I challenge them to submit RFCs to the IETF that resolve, without creating worse or more even more complicated problems, the list of problems here. All the IPv6 RFCs do ... <http://www.cs.utk.edu/~moore/what-nats-break.html>
These RFCs clearly have an agenda: selling IPv6. It is unfortunate they don't feel it necessary to make a balanced presentation of the pros and cons but instead appear to believe that spreading FUD about NAT is an effective method of promoting IPv6. Problem is that NAT will not go away or even become less common in IPv6 networks for a number of reasons. #1 NAT advantage: it protects consumers from vendor lock-in. Consider the advantage of globally unique public addressing to ISPs and telcos. Without NAT they have a very effective vendor lock-in. Want to change ISPs? It's only as easy as reconfiguring every device and/or DHCP server on your internal network. With NAT you only need to reconfigure a single device, sometimes not even that. #2 NAT advantage: it protects consumers from add-on fees for addresses space. Given the 100 to 10,000% mark-ups many telcos and ISPs already charge for more than a /29 it should come as no surprise they would be opposed to NAT. #3 NAT advantage: it prevents upstreams from limiting consumers' internal address space. Even after full implementation of IPv6 the trend of technology will continue to require more address space. Businesses will continue to grow and households will continue to acquire new IP-enabled devices. Without NAT consumers will be forced to request new netblocks from their upstream, often resulting in non-contiguous networks. Not surprisingly, often incurring additional fees as well. Follow the money and you'll end up with these three reasons why the technical arguments being made against NAT in opinion pieces like Keith Moore's (URL above) are so one sided and overtly biased. But there are still more reasons NAT will continue to increase in popularity regardless of IPv6. #4 NAT advantage: it requires new protocols to adhere to the ISO seven layer model. H.323, SIP and other badly designed protocols imbed the local address in the data portion of IP packets. This trend is somewhat discouraged by the layer-isolation requirements of NAT. #5 NAT advantage: it does not require replacement security measures to protect against netscans, portscans, broadcasts (particularly microsoft's netbios), and other malicious inbound traffic. The vendors of non-NAT devices would love to have you believe that their stateful inspection and filtering is a good substitute for the inspection and filtering required by NAT devices. Problem is the non-NAT devices all cost more, many are less secure in their default configurations, and the larger rulesets they are almost always configured with are less security than the equivalent NAT device. These are just some of the reasons why NAT is, and will continue to be, an increasingly popular technology for much more than address conservation. -- Roger Marquis Roble Systems Consulting http://www.roble.com/
On Wed, Jun 06, 2007 at 08:49:21PM -0700, Roger Marquis wrote:
Problem is that NAT will not go away or even become less common in IPv6 networks for a number of reasons.
#1 NAT advantage: it protects consumers from vendor lock-in.
Consider the advantage of globally unique public addressing to ISPs and telcos. Without NAT they have a very effective vendor lock-in. Want to change ISPs? It's only as easy as reconfiguring every device and/or DHCP server on your internal network. With NAT you only need to reconfigure a single device, sometimes not even that.
Isn't this the problem that router advertisements are meant to solve? Do you have operational experience which suggests that they aren't a sufficient solution?
#2 NAT advantage: it protects consumers from add-on fees for addresses space.
Given the 100 to 10,000% mark-ups many telcos and ISPs already charge for more than a /29 it should come as no surprise they would be opposed to NAT.
I was under the impression that each end-user of an IPv6 ISP got a /64 assigned to them when they connected.
#3 NAT advantage: it prevents upstreams from limiting consumers' internal address space.
Even after full implementation of IPv6 the trend of technology will continue to require more address space. Businesses will continue to grow and households will continue to acquire new IP-enabled devices. Without NAT consumers will be forced to request new netblocks from their upstream, often resulting in non-contiguous networks. Not surprisingly, often incurring additional fees as well.
By my calculations, the /64 of address space given to each connection will provide about 18446744073709551616 addresses. Is that an insufficient quantity for the average user of an ISP?
#4 NAT advantage: it requires new protocols to adhere to the ISO seven layer model.
H.323, SIP and other badly designed protocols imbed the local address in the data portion of IP packets. This trend is somewhat discouraged by the layer-isolation requirements of NAT.
NAT doesn't seem to have stopped the designers of these protocols from actually deploying their designs, though.
#5 NAT advantage: it does not require replacement security measures to protect against netscans, portscans, broadcasts (particularly microsoft's netbios), and other malicious inbound traffic.
The vendors of non-NAT devices would love to have you believe that their stateful inspection and filtering is a good substitute for the inspection and filtering required by NAT devices. Problem is the non-NAT devices all cost more, many are less secure in their default configurations, and the larger rulesets they are almost always configured with are less security than the equivalent NAT device.
Haven't we already had this thread killed by the mailing list team today? - Matt -- If only more employers realized that people join companies, but leave bosses. A boss should be an insulator, not a conductor or an amplifier. -- Geoff Kinnel, in the Monastery
#1 NAT advantage: it protects consumers from vendor lock-in.
Speaking of FUD... NAT does nothing here that is not also accomplished through the use of PI addressing.
#2 NAT advantage: it protects consumers from add-on fees for addresses space.
More FUD. The correct solution to this problem is to make it possible for end users to get reasonable addresses directly from RIRs for reasonable fees.
#3 NAT advantage: it prevents upstreams from limiting consumers' internal address space.
Regardless of the amount of growth, do you really see the likelihood of any household _EVER_ needing more than 65,536 subnets? I don't even know the exact result of multiplying out 16*1024^6, but, I'm betting you can't fill 65,536 subnets that big ever no matter how hard you try. So, again, I say FUD.
#4 NAT advantage: it requires new protocols to adhere to the ISO seven layer model.
Quite the contrary... NAT has encouraged the development of hack upon hack to accommodate these protocols. Please explain to me how you would engineer a call setup-tear-down protocol for an independent audio stream that didn't require you to embed addresses in the payload. Until you can solve this problem, we will have to have protocols that break this model. Other than from some sort of ISO purity model (notice how popular OSI networking is today, compared to IP?), SIP is actually a pretty clean solution to a surprisingly hard problem. Unless you have a better alternative for the same capabilities, I'm not buying it. We shouldn't have to give up useful features for architectural purity. If the architecture can't accommodate real world requirements, it is not the requirements that are broken. That's sort of like saying that OSPF and BGP break the ISO layer model because they talk about layer three addresses in layer 4-7 payload. Heck, even ISIS is broken by that definition. Again, I cry FUD.
#5 NAT advantage: it does not require replacement security measures to protect against netscans, portscans, broadcasts (particularly microsoft's netbios), and other malicious inbound traffic.
??? This is pure FUD and patently untrue. Example: About the cheapest NAT capable firewall you can buy is a Linksys WRT-54G. If you put real addresses on both sides of it and change a single checkbox in the configuration GUI, you end up with a Stateful Inspection firewall that gives you all the same security you had with the NAT, but, without the penalties imposed by NAT. Until you can show me a box that is more than USD 40 cheaper than a WRT-54G that cannot have NAT turned off, again, I cry FUD. Oh, btw, a WRT-54G sells for about USD 40 last time I bought one brand new at Best Buy, so, that's a pretty hard metric to meet.
These are just some of the reasons why NAT is, and will continue to be, an increasingly popular technology for much more than address conservation.
Since each and every one of them is FUD, that is certainly the pot calling the kettle black. Unfortunately, time and again, american politics has proven that FUD is a successful marketing tactic, so, you are probably right, there will probably be a sufficient critical mass of ignorant consumers and vendors that will buy into said FUD and avoid the real solution in favor of continuing the abomination that is NAT and all the baggage of STUN, difficult debugging, header mangling, address conflicts, and the rest that tends to come with it. Owen
On Jun 6, 2007, at 9:43 PM, Owen DeLong wrote:
#1 NAT advantage: it protects consumers from vendor lock-in.
Speaking of FUD... NAT does nothing here that is not also accomplished through the use of PI addressing
If you completely ignore the cost of routing table growth to give every company their own PI, sure.
#2 NAT advantage: it protects consumers from add-on fees for addresses space.
More FUD. The correct solution to this problem is to make it possible for end users to get reasonable addresses directly from RIRs for reasonable fees.
Reasonable is a hard word. We've had to turn away customers who wanted to assign a /27 to each and every machine, without actual justification for more than 3 IPs per machine. Sometimes people want to do insane things that aren't technically reasonable, but it's what they want to do. NAT gives them that option. -- Jo Rhett senior geek Silicon Valley Colocation Support Phone: 408-400-0550
participants (4)
-
Jo Rhett
-
Matthew Palmer
-
Owen DeLong
-
Roger Marquis