mh (RE: OMB: IPv6 by June 2008)

Fri Jul 8 22:09:57 UTC 2005

On 8 Jul, 2005, at 18:34, Fred Baker wrote:

> A NAT, in that context, is a stateful firewall that changes the  
> addresses, which means that the end station cannot use IPSEC to  
> ensure that it is still talking with the same system on the outside.

Only if you define IPSEC narrowly as AH in order to justify this claim.

There are at least two interesting differences between a NAT and a  
stateful firewall deployed in front of hosts with permanent public  
address space.   The first involves attackers knowing the topological  
name of a victim who may be unshielded by the firewall during narrow  
windows offered by the implementation, its operators, or both in  
combination.   The second involves a predictable rendezvous point for  
covert communications channels.

Not all NATs protect against these classes of attack, however an  
implementation that assigns inside-outside mappings with reasonable  
randomness will.  One which also breaks connections on failures (by  
invalidating existing mappings)  is more fail-safe than one that  
tries to preserve existing state across crashes or fat-fingerings.

People who don't make use of an interoperable and well understood  
session protocol resilient against this variety of failure in  
connection-oriented transport communications ("identity/locator  
binding invalidation") will probably disagree as their various long- 
lived sessions terminate abnormally...

Applications-layer protocol writers without a session layer would  
also have to worry about:

> attacks on TCP such as RST attacks, data insertion, acknowledge  
> hacking, and so on

Planned renumbering may as a side effect result in all of the three  
such "attacks" you explicitly listed.

They may also be flummoxed by having to invent a session layer for an  
application that really wants one, leading to reinventing previously  
discovered gotchas like

> in large delay*bandwidth product situations SSH's window is a  
> performance limit

Finally:

> In other words, a NAT is a man-in-the-middle attack, or is a device  
> that forces the end user to expose himself to man-in-the-middle  
> attacks. A true stateful firewall that allows IPSEC end to end  
> doesn't expose the user to those attacks.

The men in the middle are the I* officers who have refused for more  
than a decade to admit they don't know everything, that market forces  
are not always driven by evil doing architectural impurists with  
nothing to teach their elders (which is incongruous with early I*  
tensions with the former CCITT), or that they have their heads buried  
neck deep in NIH kitty litter (ditto).

A NAT is a tool many people find useful enough to deploy, maintain  
and even pay money for, despite the ready availability of  
substitutable tools, and

The IP (both flavours) network and transport layers are very badly  
designed with respect to host renumbering.   Renumbering has been a  
fact of life since before the early 90s.   There is no as-widely- 
promoted-as-TCP session layer to help mitigate renumbering's  
effects.   There is also institutional resistence to fixing this  
aspect of the design of the N+T layers in I*.

So, people who have actually deployed and run networks where  
renumberings happen, deployed NATs simply  because that was one of  
the only solutions readily and mostly interoperably available to  
them.   It is unsurprising that the voluntary standards organization  
dominated by people who have fought against technology to cope with  
(or even embrace) live renumbering is likewise ridden with loudmouths  
who call NATs "attack"s.

What is it exactly that NATs attack, Fred?

     Sean.