the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

James Hess mysidia at gmail.com
Tue Apr 27 23:36:32 UTC 2010


On Tue, Apr 27, 2010 at 4:25 PM, Jon Lewis <jlewis at lewis.org> wrote:
> breaks.  i.e. they'll know its broken.  When they change the default policy
> on the firewall to Accept/Allow all, everything will still work...until all
> their machines are infected with enough stuff to break them.

The same is true with IPv4 + NAT, in terms of real-world net security.
  Because security attacks against end-user equipment commonly come
from either an e-mail message the user is expected to errantly click
on,  or a malicious website, designed to exploit the latest
$MsOffice_Acrobat_Javascript_OR_Flash_Vuln_DU_Jour.

If user accidentally turns off their  outbound filtering software,
even the IPv4 user behind a NAT setup still have a pretty bad security
posture.


Fortunately, the IPv6  address space is so large and sparse, that
scanning it would be quite a feat,  even if a random outside attacker
already knew   for a fact  that a certain /64  probably contains a
vulnerable host.  Scanning IPv6 addresses by brute force,  is as
computationally  hard as  figuring out the  16-bit port number  pairs
of an IPv4   NAT user's   open connection,  in order to  fool their
NAT device and  partially hijack the user's  HTTP connection and
inject malicious code into their stream.

By the way,  if an attacker actually can figure out  the port number
pairs of a session recognized by the NAT device, the illusion of
"security" offered by the NAT setup potentially starts to crumble....
  either way it's 32-bits to be guessed within a fairly limited
timeframe.

--
-J




More information about the NANOG mailing list