the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
James Hess
mysidia at gmail.com
Tue Apr 27 23:36:32 UTC 2010
On Tue, Apr 27, 2010 at 4:25 PM, Jon Lewis <jlewis at lewis.org> wrote:
> breaks. i.e. they'll know its broken. When they change the default policy
> on the firewall to Accept/Allow all, everything will still work...until all
> their machines are infected with enough stuff to break them.
The same is true with IPv4 + NAT, in terms of real-world net security.
Because security attacks against end-user equipment commonly come
from either an e-mail message the user is expected to errantly click
on, or a malicious website, designed to exploit the latest
$MsOffice_Acrobat_Javascript_OR_Flash_Vuln_DU_Jour.
If user accidentally turns off their outbound filtering software,
even the IPv4 user behind a NAT setup still have a pretty bad security
posture.
Fortunately, the IPv6 address space is so large and sparse, that
scanning it would be quite a feat, even if a random outside attacker
already knew for a fact that a certain /64 probably contains a
vulnerable host. Scanning IPv6 addresses by brute force, is as
computationally hard as figuring out the 16-bit port number pairs
of an IPv4 NAT user's open connection, in order to fool their
NAT device and partially hijack the user's HTTP connection and
inject malicious code into their stream.
By the way, if an attacker actually can figure out the port number
pairs of a session recognized by the NAT device, the illusion of
"security" offered by the NAT setup potentially starts to crumble....
either way it's 32-bits to be guessed within a fairly limited
timeframe.
--
-J
More information about the NANOG
mailing list