Only 5x IPv4 /8 remaining at IANA
Tony Hain
alh-ietf at tndh.net
Mon Oct 18 16:47:29 UTC 2010
Owen DeLong wrote:
> ...
>
> It's really unfortunate that most people don't understand the
> distinction.
> If they did, it would help them to realize that NAT doesn't actually do
> anything for security, it just helps with address conservation
> (although
> it has some limits there, as well).
Actually nat does something for security, it decimates it. Any 'real'
security system (physical, technology, ...) includes some form of audit
trail. NAT explicitly breaks any form of audit trail, unless you are the one
operating the header mangling device. Given that there is no limit to the
number of nat devices along a path, there can be no limit to the number of
people operating them. This means there is no audit trail, and therefore NO
SECURITY.
>
> IPv6 with SI is no less secure than IPv4 with SI+NAT. If you're worried
> about address and/or topological obfuscation, then, IPv6 offers you
> privacy addresses with rotating numbers. However, that's more a
> privacy issue than a security issue, unless you believe in the idea
> of security through obscurity which is pretty well proven false.
A different way to look at this is less about obscurity, and more about
reducing your overall attack surface. A node using a temporal address is
vulnerable while that address is live, but as soon as it is released that
attack vector goes away. Attackers that harvest addresses through the
variety of transactions that a node my conduct will have a limited period of
time to try to exploit that.
This is not to say that you don't want stateful controls, just that if
something inside the stateful firewall has been compromised there will be a
limited period of time to use the dated knowledge.
Tony
More information about the NANOG
mailing list