IPv6 uptake (was: The Reg does 240/4)
Michael Thomas
mike at mtcc.com
Sat Feb 17 18:34:22 UTC 2024
On 2/16/24 6:33 PM, William Herrin wrote:
> On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel <ryan at rkhtech.org> wrote:
>> Depending on where that rule is placed within your ACL, yes that can happen with *ANY* address family.
> Hi Ryan,
>
> Correct. The examples illustrated a difference between a firewall
> implementing address-overloaded NAT and a firewall implementing
> everything except the address translation. Either example could be
> converted to the other address family and it would work the same way.
>
>> All things aside, I agree with Dan that NAT was never
>> ever designed to be a security tool. It is used because
>> of the scarcity of public address space, and it provides
>> a "defense" depending on how it is implemented, with
>> minimal effort. This video tells the story of NAT and the
>> Cisco PIX, straight from the creators
>> https://youtu.be/GLrfqtf4txw
> NAT's story, the modern version of NAT when we talk about IPv4
> firewalls, started in the early '90s with the Gauntlet firewall. It
> was described as a transparent application layer gateway. Gauntlet
> focused on solving enterprise security issues. Gauntlet's technology
> converged with what was then 1:1 NAT to produce the address-overloaded
> NAT like what later appeared in the Cisco PIX (also first and foremost
> a security product) and is present in all our DSL and cable modems
> today.
>
> Security came first, then someone noticed it'd be useful for address
> conservation too. Gauntlet's customers generally had or could readily
> get a supply of public IP addresses. Indeed, when Gauntlet was
> released, IP addresses were still available from
> hostmaster at internic.net at zero cost and without any significant
> documentation. And Gauntlet was expensive: folks who couldn't easily
> obtain public IP addresses also couldn't afford it.
Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
NAT. That was sort of the go-to book for hard-on-the-outside
soft-on-the-inside defense. Maybe they were unaware of this, or maybe
they didn't agree with the premise. I didn't hear about NAT until the
late 90's, iirc. I've definitely not heard of Gauntlet.
As I recall, it was very much an afterthought with cable/DOCSIS to use
NAT to conserve addresses. The headend DHCP server just gave public
addresses to whoever asked. DOCSIS CPE at that time was just an L2
modem. NAT traversal absolutely was not on the table with Packetcable
back in the late 90's, and believe me we were very concerned about the
security of MGCP since it was UDP based.
Which is to say that NAT came around to preserve address space. Any
security properties were sort of a post-hoc rationalization and hotly
debated given all the things NAT broke.
Mike
More information about the NANOG
mailing list