Arguing against using public IP space

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Nov 15, 2011, at 6:07 PM, Karl Auer wrote:

> On Wed, 2011-11-16 at 12:20 +1100, Mark Andrews wrote:
>> You are making assumptions about how the NAT is designed.
>> [...]
>> Unless you know the internals of a NAT you cannot say whether it
>> fails open or closed.
> 
> Indeed not!
> 
> From 2010, during an identical discussion:
> 
>   http://seclists.org/nanog/2010/Apr/1166
> 
> To me, "fail" means that a system stops doing what it was designed to
> do. The results are by definition undefined. Others seem to think that
> "fail" means a kind of default.
> 

Red herring alert.

Fact, any given system has failure modes that are more common and failure
modes that are less common. Sure, your car can fail by having the engine
explode. However, this is nowhere near as common as having your car
fail due to a flat tire or a clogged fuel filter.

Arguing that flat tires and clogged fuel filters are some form of default is
absurd, but, when discussing automotive failures, the discussion will
naturally focus more on these failures than on engine explosions.

Such has been the case here. The most common failure modes for
firewalls are failures due to misconfiguration and/or failures due to
loss of configuration information.

Some misconfigurations are more common than others. A proper firewall
will address most of these failures by no longer forwarding packets.

In this case, a router with NAT is slightly more likely to fail closed than
a router without NAT. However, a firewall without NAT is more likely
to fail closed than a router with or without NAT and equally likely to
a firewall with NAT. In other words, NAT doesn't really improve anything,
but, the difference between the common failure modes of a firewall
vs. a router are worthy of consideration. The infinitesimal advantage
of NAT if you use a router instead of a firewall to perform the duties of
a firewall is dramatically overshadowed by the costs and damage
done by NAT.

OTOH, routers, being designed primarily to forward packets and having
security appliance features added as a secondary capability will, in
many cases, address most of these failures by passing packets which
would not be permitted if properly configured and/or functioning.

Yes, they are identical and NAT makes no meaningful difference
to the chances that undesired packets will be forwarded in the event
of a catastrophic failure outside of these more common failure modes.

Owen

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]