Re: [arin-announce] IPv4 Address Space (fwd)
In article <cistron.Pine.LNX.4.44.0310291228200.29539-100000@login1.fas.harvard.edu>, Scott McGrath <mcgrath@fas.harvard.edu> wrote:
And sometimes you use NAT because you really do not want the NAT'ed device to be globally addressible but it needs to have a link to the outside to download updates. Instrument controllers et.al.
I don't understand. What is the difference between a /24 internal NATted network, and a /64 internal IPv6 network that is firewalled off: only paclets to the outside allowed, and packets destined for the inside need to have a traffic flow associated with it. As I see it, NAT is just a stateful firewall of sorts. A broken one, so why not use a non-broken solution ? We can only hope that IPv6 capable CPE devices have that sort of stateful firewalling turned on by default. Or start educating the vendors of these el-cheopo CPE devices so that they will all have that kind of firewalling enabled before IPv6 becomes mainstream. Mike.
Life would be much simpler without NAT howver there are non-computer devices which use the internet to get updates for their firmware that most of us would prefer not to be globally reachable due to the human error factor i.e. "Oops forgot a rule to protect X". The radar on your cruise ship uses an IP network to communicate with the chartplotter, GPS, depthsounder do you really want _this_ gear globally reachable via the internet?. Remember if it's globally reachable it is subject to compromise. A good example of this is building control systems which get firmware updates via FTP!!!! from their maker. Usually there is no manual system for updating them offline and allowing them to be disconnected from the internet as in my opinion they _should_ be. NAT is not security just look what you can do with sFlow to identify machines behind a NAT. NAT is useful for machines which need to periodically make a connection to perform some function involving the network. This class of devices should not have a globally routable address because in many cases security on them is less than an afterthought (short fixed passwords no support for secure protocols, etc) The other case as pointed out by another poster is overlapping networks which need NAT until a renumbering can be accomplished. Scott C. McGrath On Wed, 29 Oct 2003, Miquel van Smoorenburg wrote:
In article <cistron.Pine.LNX.4.44.0310291228200.29539-100000@login1.fas.harvard.edu>, Scott McGrath <mcgrath@fas.harvard.edu> wrote:
And sometimes you use NAT because you really do not want the NAT'ed device to be globally addressible but it needs to have a link to the outside to download updates. Instrument controllers et.al.
I don't understand. What is the difference between a /24 internal NATted network, and a /64 internal IPv6 network that is firewalled off: only paclets to the outside allowed, and packets destined for the inside need to have a traffic flow associated with it.
As I see it, NAT is just a stateful firewall of sorts. A broken one, so why not use a non-broken solution ?
We can only hope that IPv6 capable CPE devices have that sort of stateful firewalling turned on by default. Or start educating the vendors of these el-cheopo CPE devices so that they will all have that kind of firewalling enabled before IPv6 becomes mainstream.
Mike.
On Wed, 29 Oct 2003, Scott McGrath wrote:
Life would be much simpler without NAT howver there are non-computer devices which use the internet to get updates for their firmware that most of us would prefer not to be globally reachable due to the human error factor i.e. "Oops forgot a rule to protect X". <snip> A good example of this is building control systems which get firmware updates via FTP!!!! from their maker. Usually there is no manual system for updating them offline and allowing them to be disconnected from the internet as in my opinion they _should_ be.
NAT is certianly not the only way to restrict this sort of access. For your ship example (snipped) an isolated network is best. For your building control systems a firewall preventing inbound access, instead of a NAT device, should be your control of choice.
This class of devices should not have a globally routable address because in many cases security on them is less than an afterthought (short fixed passwords no support for secure protocols, etc)
routable =! reachable. Restrict inbound access to your networks as needed, with or without NAT, IPv4 or IPv6. For legacy IPv4 networks that haven't been renumbered to IPv6, use a 4to6 gateway. You seem to be arguing that NAT is the only way to prevent inbound access. While it's true that most commercial IPv4 firewalls bundle NAT with packet filtering, the NAT is not required..and less-so with IPv6. ...david --- david raistrick drais@atlasta.net http://www.expita.com/nomime.html
David Raistrick wrote:
You seem to be arguing that NAT is the only way to prevent inbound access. While it's true that most commercial IPv4 firewalls bundle NAT with packet filtering, the NAT is not required..and less-so with IPv6.
I think the point that was being made was that NAT allows the filtering of the box to be more idiot proof. Firewall rules tend to be complex, which is why mistakes *do* get made and systems still get compromised. NAT interfaces and setups tend to be more simplistic, and the IP addresses of the device won't route publicly through the firewall or any unknown alternate routes. -Jack
Jack Bates wrote:
David Raistrick wrote:
You seem to be arguing that NAT is the only way to prevent inbound access. While it's true that most commercial IPv4 firewalls bundle NAT with packet filtering, the NAT is not required..and less-so with IPv6.
I think the point that was being made was that NAT allows the filtering of the box to be more idiot proof. Firewall rules tend to be complex, which is why mistakes *do* get made and systems still get compromised. NAT interfaces and setups tend to be more simplistic, and the IP addresses of the device won't route publicly through the firewall or any unknown alternate routes.
NAT for security is a bogus argument. NAT provides you nothing that a simple stateful firewall provides[0]. The only reason a firewall is "less idiot proof," is because NAT has such limited capabilities. People may do more with a firewall simply because they can. If you want complex rules, look at what happens to a NAT set up when you want to set up a few static mappings. That's asking for trouble. For a firewall to hobble the hosts behind it like NAT does takes only a few simple rules. NAT also takes considerably more resources than a stateful firewall. [0] The only bonus in NAT is for the truly paranoid who want to hide their network topology. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com
JB> Date: Wed, 29 Oct 2003 15:27:27 -0600 JB> From: Jack Bates JB> I think the point that was being made was that NAT allows the JB> filtering of the box to be more idiot proof. Firewall rules JB> tend to be complex, which is why mistakes *do* get made and JB> systems still get compromised. NAT interfaces and setups JB> tend to be more simplistic, and the IP addresses of the JB> device won't route publicly through the firewall or any JB> unknown alternate routes. NAT "security" is a byproduct of NAT's stateful filtering. One can accomplish the same effect with check-state allow ip any any recv internal0 keep-state deny ip any any Such a default fw config would be equally idiot-proof with no IP obfuscation. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
That was _exactly_ the point I was attempting to make. If you recall there was a case recently where a subcontractor at a power generation facility linked their system to an isolated network which gave unintentional global access to the isolated network. a NAT at the subcontrator's interface would have prevented this. Scott C. McGrath On Wed, 29 Oct 2003, Jack Bates wrote:
David Raistrick wrote:
You seem to be arguing that NAT is the only way to prevent inbound access. While it's true that most commercial IPv4 firewalls bundle NAT with packet filtering, the NAT is not required..and less-so with IPv6.
I think the point that was being made was that NAT allows the filtering of the box to be more idiot proof. Firewall rules tend to be complex, which is why mistakes *do* get made and systems still get compromised. NAT interfaces and setups tend to be more simplistic, and the IP addresses of the device won't route publicly through the firewall or any unknown alternate routes.
-Jack
<
On Thu, 2003-10-30 at 09:22, Scott McGrath wrote:
That was _exactly_ the point I was attempting to make. If you recall there was a case recently where a subcontractor at a power generation facility linked their system to an isolated network which gave unintentional global access to the isolated network. a NAT at the subcontrator's interface would have prevented this.
So would have a stateful firewall set to keep state, default deny inbound. This is how customer grade firewall products should work with NAT disabled, although they probably don't. -Paul -- Paul Timmins <paul@timmins.net>
On Wed, 29 Oct 2003, Scott McGrath wrote:
Life would be much simpler without NAT howver there are non-computer devices which use the internet to get updates for their firmware that most of us would prefer not to be globally reachable due to the human error factor i.e. "Oops forgot a rule to protect X". <snip> A good example of this is building control systems which get firmware updates via FTP!!!! from their maker. Usually there is no manual system for updating them offline and allowing them to be disconnected from the internet as in my opinion they _should_ be.
NAT is certianly not the only way to restrict this sort of access. For your ship example (snipped) an isolated network is best.
For your building control systems a firewall preventing inbound access, instead of a NAT device, should be your control of choice.
You are missing the point. Building control gear, instrument controllers power controllers their builders see a _cheap_ distribution method for updates so they buy a TCP stack and cobble together a embedded application to update their software. Vendors are not thinking about acceptable levels of network security when they design this gear they are thinking hmm no floppy or cdrom for $20 I can just put in a $4 ethernet controller and I can also save the salaries of the people needed to distribute the physical media.
This class of devices should not have a globally routable address because in many cases security on them is less than an afterthought (short fixed passwords no support for secure protocols, etc)
routable =! reachable. Restrict inbound access to your networks as needed, with or without NAT, IPv4 or IPv6. For legacy IPv4 networks that haven't been renumbered to IPv6, use a 4to6 gateway.
routable _is_ reachable a firewall is merely a filtering device it cannot determine the intent of the packet. If a packet complies with your defined ruleset and the protocol rules for that type of packet the firewall passes it. NAT also has the advantage that if packets do leak bogon filters at the border will drop them. Firewalls cannot compensate for broken protocols or worse yet proprietary protocols which the firewall device has no knowledge of and therefore is limited to L3/4 filtering only. I have been playing with firewall and other internetwork security devices for longer than I care to remember
You seem to be arguing that NAT is the only way to prevent inbound access. While it's true that most commercial IPv4 firewalls bundle NAT with packet filtering, the NAT is not required..and less-so with IPv6.
Actually no, I tend to avoid NAT whenever possible as other posters have pointed out NAT tends to break things which are not ordinarily broken and I do not need the additional headaches. I simply see NAT as a tool in the toolbox to be used to fix networking problems..
...david
--- david raistrick drais@atlasta.net http://www.expita.com/nomime.html
participants (7)
-
Crist Clark
-
David Raistrick
-
E.B. Dreger
-
Jack Bates
-
Miquel van Smoorenburg
-
Paul Timmins
-
Scott McGrath