misunderstanding scale

Naslund, Steve SNaslund at medline.com
Tue Mar 25 02:47:31 UTC 2014

Exactly right.  In fact that is generous because the v6 host having a stateful firewall has a real protocol aware firewall (and often bundled IDS/IPS capability) not just a NAT to protect him.  

The NAT provides almost no security once a single host behind the NAT is compromised and makes an outbound connection.  Bang, instant VPN connection to the internal network.  A perimeter defense relying on NAT is a house of cards that only needs one nick for the whole thing to come down.  Lots and lots of enterprises count on a hard perimeter and almost nothing behind it so once I am in behind your NAT, you are unlikely to notice it until something real bad happens.  That is the state of most enterprise network security today.

C'mon guys how many Botnets and DDoS attacks do we need to see coming from home computers that are almost all behind NATs to realize that NAT is not a security feature.  For you service providers out there, how many of your residential customers behind your NAT do you think are compromised in some way.

If you can find a large enterprise that has not one piece of malware running on a single workstation, I will be surprised.  With so many BYODs and laptops going in and out of your NAT perimeter there is no way you can assert that nothing behind your NAT is compromised.  At least with v6 we can have a better idea of where a rogue connection is coming from.  

Look at it this way.  If I see an attack coming from behind your NAT, I'm gonna deny all traffic coming from your NAT block until you assure me you have it fixed because I have no way of knowing which host it is coming from. Now your whole network is unreachable. If you have a compromised GUA host I can block only him.  Better for both of us, no?

How about a single host spamming behind your NAT blocking your entire corporate public network from email services?  Anyone ever see that one.  Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal with that.

Maybe GUAs will convince (scare) more enterprise users to actually treat the internal network as an environment that needs to be secured as well.  We can only hope.

Steven Naslund

>>Bzzzt... But thanks for playing.

>>An IPv6 host with a GUA behind a stateful firewall with default deny is every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44 gateway.


More information about the NANOG mailing list