misunderstanding scale

Mon Mar 24 17:35:18 UTC 2014

On Mar 24, 2014, at 5:05 PM, "Patrick W. Gilmore" <patrick at ianai.net> wrote:

> On Mar 24, 2014, at 12:21, William Herrin <bill at herrin.us> wrote:
>> On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund at medline.com> wrote:
> 
>>> I am not sure I agree with the basic premise here.   NAT or Private addressing does not equal security.
> 
>> Many of the folks you would have deploy IPv6 do not agree. They take
>> comfort in the mathematical impossibility of addressing an internal
>> host from an outside packet that is not part of an ongoing session.
>> These folks find that address-overloaded NAT provides a valuable
>> additional layer of security.
>> 
>> Some folks WANT to segregate their networks from the Internet via a
>> general-protocol transparent proxy. They've had this capability with
>> IPv4 for 20 years. IPv6 poorly addresses their requirement.
> 

It's unfortunate that it is the way it is, but many enterprise people have this ingrained in them - they don't want to be connected to the internet except for a few exceptions.  Just the fact that they can't ping their machines gives them a warm and fuzzy.  In a run-of-the-mill default NAT setup, you can deploy a network printer with no security and nobody from the internet can print to it.  It's default deny, even without setting anything else up, by virtue of not being on the internet and not having an address.  I know there are ways to subvert a NAT but that applies to perimeter and host firewalls too.  IPv6 global numbers are great for those of us that actually want to connect to the internet, but enterprise people with rfc1918 numbering have gotten used to being disconnected, and while most of us know that it's trivial to firewall IPv6, it's still a big jump from using a NAT/proxy to being 'on the internet'.  It's even more complex if it's only halfway and there are two different protocols to manage.

People will always resist change, and in this case, why should they change when it's only going to make their job harder?  Makes sense to me, but I wish it weren't that way.  They will probably just find ways to proxy and NAT IPv6 too, so that it fits the IPv4 model with 'private' addresses.

Just look at what's been happening with UDP floods.  It's scared people enough that some are just blocking certain UDP ports or UDP completely.  I imagine we will soon see some big IPv6 specific attacks that result in crashing hosts/routers, and that will just make people resist it harder, because why would they want that headache?  I think in a lot of situations, unless their business is networking specifically, the network is considered good enough if you can browse (most) webpages.  For IPv6 only sites, that could be accomplished with a web proxy setting on all the desktops.  It's not really right, it's inefficient, error prone and bunch of other things, but that doesn't mean people won't do it.  They do all this today with v4 anyway, so if anything, the 'wrong way' is easier there since they're used to doing it.

There has to be some big compelling reason to convince people that global addressing is the right way.  We all know the reasons but they're obviously not good enough for enterprise security people.

-Laszlo

> NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT.
> 
> -- 
> TTFN,
> patrick
> 
> 