Netflix banning HE tunnels

• Previous message (by thread): Netflix banning HE tunnels
• Next message (by thread): Netflix banning HE tunnels
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Jun 14, 2016, at 11:57 , Ricky Beam <jfbeam at gmail.com> wrote:
> 
> On Sun, 12 Jun 2016 19:47:18 -0400, Owen DeLong <owen at delong.com> wrote:
>>> NAT may not be security, yet it's the only thing securing billions of people.
>> 
>> Nope… NAT Can’t be done without stateful inspection.
> 
> Negative.
> - 1:1 NAT (inside address A == outside address B) requires no state of any kind.

Sigh… This is not the kind of NAT we are talking about here. We are talking about address multiplexing NAT.

1:1 NAT provides no security whatsoever, either.

> - Connection Tracking is not stateful inspection

Yes, actually, it is a form of stateful inspection.

> - NAT Helpers / ALG / etc. (things that look for embedded addresses) aren't "stateful inspection”

Yes, actually, they are part of the more general category of stateful inspection.

> The only "security" one gets from NAT comes from the lack of outside visibility through the NAT. An outside host cannot initiate a connection to any specific inside host of their choosing.

If you are doing 1:1 NAT without stateful inspection, you don’t get this.

> I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6 traffic. IPv4 goes through NAT, so one gets the pseudo-security of not being directly touchable from the internet.

Those are by definition poorly designed CPE. We used (and arguably still do) have lots of poorly designed IPv4 CPE, too.

Blaming the protocol for bad CPE design is kind of silly.

Each and every one of those CPEs you describe _IS_ doing some form of stateful inspection of the packet in order to be able to perform its translation function or drop the unrelated packet.

An open 1:1 NAT with no stateful inspection is no more secure than a direct route. Changing the packet header doesn’t make you any less reachable.

In fact, it further proves my point that no security comes from the NAT itself, but, rather from the validation of inbound packets as to whether they match an existing outbound session or not. That validation, however it is done, _IS_ stateful inspection. Without it, you’ve offered no security advantage and prevented no reachability.

Owen

• Previous message (by thread): Netflix banning HE tunnels
• Next message (by thread): Netflix banning HE tunnels
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]