NIST IPv6 document

Owen DeLong owen at
Mon Jan 10 18:57:54 CST 2011

On Jan 10, 2011, at 4:22 PM, Jeff Kell wrote:

> On 1/10/2011 6:55 PM, Owen DeLong wrote:
>> Nonetheless, NAT remains an opaque screen door at best.
>> If the bad guy is behind the door, it helps hide him.
>> If the bad guy is outside the door, the time it takes for his knife to cut through it is so small as to be meaningless.
> For a "server" expected to be open to anyone, anywhere, anytime... yes. 
> Otherwise no.
Uh, yes. For a server, it's a transparent hole in the wall.

> NAT overload (many to 1), and 1-to-1 NAT with some timeout value both
> serve to disconnect the potential targets from the network, absent any
> static NAT or port mapping (for "servers").
No, they don't, really. Once the host becomes compromised via other
means, it readily opens whatever necessary holes in the NAT to permit
the undesirable traffic in.

Additionally, even an un-compromised host may open the needed
holes in NAT through processes like 6to4 and Teredo.

> RFC-1918 behind NAT insures this (notwithstanding pivot attacks).
Stateful inspection without address mangling does just as much to insure
this as NAT. You, like so many others, are confusing the security benefits
of stateful inspection with the misapplication of the term NAT.

> It is a decreasing risk, given the typical user initiated compromise of
> today (click here to infect your computer), but a non-zero one.
> The whole IPv6 / no-NAT philosophy of "always connected and always
> directly addressable" eliminates this layer.
No, it doesn't. A good stateful firewall in front of an IPv6 host without NAT
does every bit as much to protect it as the NAT box in your RFC-1918
scenario can.

The problem is that everyone assumes directly addressable means
directly reachable because they've become so ingrained in this world
of NAT that they forget that it is possible to implement effective stateful
security without it.

The big difference between stateful inspection without NAT and with
overloaded NAT is that in the overloaded NAT case, it will help hide
the bad guy from the audit trails whereas the non-NAT approach does
not do so.


More information about the NANOG mailing list