Redploying most of 127/8 as unicast public
Joe Maimon
jmaimon at jmaimon.com
Sun Nov 21 03:47:10 UTC 2021
Owen DeLong via NANOG wrote:
(snips for brevity and reply relevancy)
>
> This is a common fallacy… The real concept here isn’t “universal
> reachability”, but universal transparent addressing. Policy then
> decides about reachability.
>
> Think stateful firewall without NAT.
>
> No, NAT is not a firewall. The stateful inspection that NAT depends on
> is a firewall.
>
> You can do all of the exact same things without needing NAT. You just
> get additional capabilities without NAT that you didn’t have with NAT
> due to the limitations of shared addressing.
>
> You an do stateful inspection and reject unwanted packets without
> having to mutilate the packet header in the process.
>
>
> Owen
>
You are completely correct in theory.
However, in IPv4 there is a generally true assumption that there are all
these sorts of devices that will be deployed in a somewhat secure
fashion and not by virtue of any particular efforts on the part of their
manufactures, because they are rarely deployed without a NAT in front of
them simply due to address scarcity, where NAT becomes a feature of
network functionality and not of network security.
The hope that there will be equivalent pervasiveness of a statefull
deny-any layer in front of these classes of devices or that they will be
deployed|developed with sufficient/equivalent security without that
layer is not nearly as re-assuring.
Worse, with the assumption of NAT induced security in place its all too
logical to predict and expect that these devices are woefully
under-equipped to protect themselves in any way without it.
Best case scenario is that practically all SOHO v6 gateways default
configuration is statefull deny-any. In which case all you can hope to
get from theoretical E2E is less packet mangling.
(Packet mangling is a good test case for protocols who needlessly commit
layering violations by embedding lower layer addressing directly or
implicitly into their behavior, so NAT has actually been beneficial in
this manner)
The security conscious are better off deploying these devices with IPv6
turned off. Much less chance of them accidentally becoming individually
responsible for their own protection due to any network changes that may
not take their existence or particularly sensitive and vulnerable state
into consideration.
Further, security track records as they are suggest that security will
never become the prime focus or even more than an afterthought for the
producers of these classes of devices.
We can all wish that were not the case but it would be naive to assume
otherwise.
Joe
More information about the NANOG
mailing list