mh (RE: OMB: IPv6 by June 2008)
David Andersen
dga+ at cs.cmu.edu
Fri Jul 8 17:15:42 UTC 2005
On Jul 8, 2005, at 12:49 PM, Jay R. Ashworth wrote:
>
> On Thu, Jul 07, 2005 at 01:31:57PM -0700, Crist Clark wrote:
>> And if you still want "the protection of NAT," any stateful firewall
>> will do it.
>
> That seems a common viewpoint.
>
> I believe the very existence of the Ping Of Death rebuts it.
>
> A machine behind a NAT box simply is not visible to the outside world,
> except for the protocols you tunnel to it, if any. This *has* to
> vastly reduce it's attack exposure.
Not really. Consider the logic in a NAT box:
if (state table entry exists for packet) {
translate_header();
send();
} else {
drop();
}
and the logic in a stateful firewall:
if (state table entry exists for packet) {
send();
} else {
drop();
}
This is *exactly* the core of what a NAT does, minus the header
mangling. The ping of death exposure, for instance, is identical in
both cases: The way to ping of death someone is to find a valid state
table entry and exploit it (e.g., if you could do a PoD in reverse by
using a too-large ICMP reply, and first convince the victim to ping
you).
Configuration options can change the behavior of either, e.g.,
configuring an internal host to be the "DMZ" host on a NAT, which
changes the logic to:
if (state table) ...
else
send_to_dmz_host();
The equivalent operation on a stateful firewall is a permit rule. A
stateful firewall can expose more internal hosts to the outside than a
NAT with only one IP address, simply because it can have more
addressable space to use (if you've only got one IP address, there's
only one person who can receive pings). But in general, the two are
nearly identical, by virtue of the state table check.
-Dave
More information about the NANOG
mailing list