misunderstanding scale

Mon Mar 24 20:18:50 UTC 2014

On 3/24/14 10:08 AM, William Herrin wrote:
> On Mon, Mar 24, 2014 at 12:28 PM, Michael Thomas <mike at mtcc.com> wrote:
>> On 03/24/2014 09:20 AM, William Herrin wrote:
>>> On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer at biplane.com.au> wrote:
>>>> Addressable is not the same as
>>>> accessible; routable is not the same as routed.
>>> Indeed. However, all successful security is about _defense in depth_.
>>> If it is inaccessible, unrouted, unroutable and unaddressable then you
>>> have four layers of security. If it is merely inaccessible and
>>> unrouted you have two.
>> A distinction without a difference, IMHO. Either I can send you an incoming
>> SYN or I can't.
> Hi Mike,
>
> You can either press the big red button and fire the nukes or you
> can't, so what difference how many layers of security are involved
> with the "Football?"
>
> I say this with the utmost respect, but you must understand the
> principle of defense in depth in order to make competent security
> decisions for your organization. Smart people disagree on the details
> but the principle is not only iron clad, it applies to all forms of
> security, not just IP network security.
>
>

The point here is that your "depth" is the same with or without nat. The
act of address translation does not alter its routability, it's the firewall rules
that say "no incoming SYN's without an existing connection state", etc. That,
and always has been, the business end of firewalls.

The other thing about v6 is that counting on addressibility in any way shape
or form is a fool's errand: hosts want desperately to number their interfaces
with whatever GUA's they can given RA's, etc. So you may think you're only giving
out ULA's, but I wouldn't count on that from a security perspective. v6 is not like
DHCPv4 even a little in that respect: if the hosts can get a GUA, they will configure
it and use it.

Mike