misunderstanding scale

Owen DeLong owen at delong.com
Tue Mar 25 03:22:10 UTC 2014


On Mar 24, 2014, at 10:35 AM, Laszlo Hanyecz <laszlo at heliacal.net> wrote:

> 
> On Mar 24, 2014, at 5:05 PM, "Patrick W. Gilmore" <patrick at ianai.net> wrote:
> 
>> On Mar 24, 2014, at 12:21, William Herrin <bill at herrin.us> wrote:
>>> On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund at medline.com> wrote:
>> 
>>>> I am not sure I agree with the basic premise here.   NAT or Private addressing does not equal security.
>> 
>>> Many of the folks you would have deploy IPv6 do not agree. They take
>>> comfort in the mathematical impossibility of addressing an internal
>>> host from an outside packet that is not part of an ongoing session.
>>> These folks find that address-overloaded NAT provides a valuable
>>> additional layer of security.
>>> 
>>> Some folks WANT to segregate their networks from the Internet via a
>>> general-protocol transparent proxy. They've had this capability with
>>> IPv4 for 20 years. IPv6 poorly addresses their requirement.
>> 
> 
> It's unfortunate that it is the way it is, but many enterprise people have this ingrained in them - they don't want to be connected to the internet except for a few exceptions.  Just the fact that they can't ping their machines gives them a warm and fuzzy.  In a run-of-the-mill default NAT setup, you can deploy a network printer with no security and nobody from the internet can print to it.  It's default deny, even without setting anything else up, by virtue of not being on the internet and not having an address.  I know there are ways to subvert a NAT but that applies to perimeter and host firewalls too.  IPv6 global numbers are great for those of us that actually want to connect to the internet, but enterprise people with rfc1918 numbering have gotten used to being disconnected, and while most of us know that it's trivial to firewall IPv6, it's still a big jump from using a NAT/proxy to being 'on the internet'.  It's even more complex if it's only halfway and there are two different protocols to manage.

This mindset is why so many printers are delivering copies of everything printed to $badguy without the knowledge of many IT departments.

You may not be able to print to it, but really, if you had access to a random printer somewhere, how many people would really want to print to it?

In my experience, having had such a device on line as an experiment for several years, it’s a very small number. In more than 5 years with such a device on line with no NAT, no packet filter, nothing, only 3 print jobs came in from unauthorized users. Lots of other things were done to the printer to try and get it to do various things a printer just shouldn’t do.

Now, just having the printer behind NAT doesn’t prevent that, because likely someone who has access to the printer inside the organization will download some piece of malware that reprograms the printer as desired, eliminating the need to compromise the printer through the NAT.

> People will always resist change, and in this case, why should they change when it's only going to make their job harder?  Makes sense to me, but I wish it weren't that way.  They will probably just find ways to proxy and NAT IPv6 too, so that it fits the IPv4 model with 'private' addresses.

I suppose it’s possible, but I think, so far, education actually seems to be making progress. Please don’t give up hope yet.

Owen





More information about the NANOG mailing list