SNaslund at medline.com
Mon Mar 24 16:43:04 UTC 2014
I think it would be just as easy to claim that breaking the end-to-end model is more of a security concern that lack of NAT. Having the NAT is essentially condoning a permanent man-in-the-middle. A lot of customers do believe that NAT adds to their security. I would advise them however that it probably offers a lot less than they think. It is a very common technique get an inside computer to establish a connection out to a bad host. That's how most of the malware today works (through the "extra layer of defense that NAT provides),so I am not seeing how much worse IPv6 would make things. If you are going to allow inbound connections to your internal machines from anywhere you are unsecure. How hard is it to block inbound connections with a firewall? If the user cannot accomplish that then there is not much we can do to save them.
I suppose NAT could add some sort of minimal additional assurance but if you cannot pull off a simple firewall or routing policy you are already unable to adequately secure your network.
I see no technical reason that someone could not implement a transparent proxy whether it is v4 or v6. It does not really violate the end-to-end model because the proxy connects to the remote system and the local system connects to the proxy so there really is not an end-to-end connection as much as there are two separate connections. For that matter, is there really a technical reason that you could not do a NAT if you wanted to with IPv6? All we are really talking about here is replacing one address with another. Could you not get something similar by translating a routable IPv6 address to a link local address? I don't think I would want to but I suppose you could if you are really married to NAT and private addressing.
I, for one, will not miss NAT very much. I have seen quite a few misconfigured NATs and holes being punched through firewalls because applications don't like NATs to believe that they are at least as much trouble as they are worth as a security feature.
From: William Herrin [mailto:bill at herrin.us]
Sent: Monday, March 24, 2014 11:21 AM
To: Karl Auer
Cc: nanog at nanog.org
Subject: Re: misunderstanding scale
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer at biplane.com.au> wrote:
> Addressable is not the same as
> accessible; routable is not the same as routed.
Indeed. However, all successful security is about _defense in depth_.
If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two.
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
More information about the NANOG