Security gain from NAT (was: Re: Cool IPv6 Stuff)

Nathan Ward nanog at daork.net
Tue Jun 5 11:27:25 UTC 2007



On 5/06/2007, at 9:29 PM, <michael.dillon at bt.com>  
<michael.dillon at bt.com> wrote:

>
>
>> I posit that a screen door does not provide any security.
>
> "Any" is too strong a word. For people living in an area with
> malaria-carrying mosquitoes, that screen door may be more important  
> for
> security than a solid steel door with a deadbolt. It all depends on  
> what
> the risks are, what you are protecting, and where your priorities are.
>
> It is rather odd to see this discussion just a few weeks after the  
> IETF
> issued RFC 4864 to address just this misconception of NAT. How many of
> the participants have read the RFC? Assuming vendors of cheap consumer
> IPv6 gateway boxes implement all the LNP (Local Network Protection)
> features of RFC 4864, is there any reason for these boxes to also
> support NAT?
>
> As far as I can see the only good reason to put NAT in an IPv6 gateway
> is because uneducated consumers demand it as a checklist feature. In
> that case, let's hope that it is off by default and that disabling the
> NAT does not disrupt any of the other LNP features. That way, when the
> customer calls the support desk to complain that they are not getting
> SIP calls from Mom, you can tell them to turn off the NAT and try  
> again.

Precisely.
I don't think anyone is suggesting that you should put NAPT in an  
IPv6 gateway. A few days ago it was suggested by Sam Stickland that a  
blocker to moving to IPv6 was the lack of NAPT, and the security  
features that are an integral part of it's functionality.

The comment was then made (I think by Owen DeLong, although he  
implied it instead of stating it clearly) that stateful inspection  
can be done independently of NAPT, and that the anonymity can be  
provided by the privacy extensions was mentioned by both myself and  
someone else. Noone has disputed either of those two points so far.

The counterpoint seems to be that you get stateful inspection with  
NAPT, which isn't really disputed, as it's obvious.

It seems that that's been misinterpreted as people suggesting that  
instead of IPv6 and SI+Privacy, we go with IPv6 and NAPT, and to that  
people are saying "Just use SI".


I'm unclear as to why this is still being discussed to be honest, as  
noone is claiming that NAPT provides additional security over SI 
+Privacy, which was presented as a solution to the original concern.  
The rest seems to just be trying to pick holes in misinterpretations  
of each others posts, which doesn't really go anywhere, let alone  
make sense.


As I see it, the next step for everyone here is educating people that  
NAPT-equivalent security can be provided in other ways. Let's focus  
our energies on that, instead of pointless debate. So, when talking  
to your CPE vendor about IPv6, make SI a requirement, and encourage  
end users to turn on Privacy extensions for address selection.

It shouldn't be a hard sell at all - the only consumer grade routers  
that I'm aware of that do IPv6 are the Cisco 8xx, and the Apple  
Airport Extreme (n). Both do SI, the Airport does it by default (now).

--
Nathan Ward




More information about the NANOG mailing list