Redploying most of 127/8 as unicast public

• Previous message (by thread): Redploying most of 127/8 as unicast public
• Next message (by thread): Redploying most of 127/8 as unicast public
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Owen DeLong via NANOG wrote:

(snips for brevity and reply relevancy)
>
> This is a common fallacy… The real concept here isn’t “universal 
> reachability”, but universal transparent addressing. Policy then 
> decides about reachability.
>
> Think stateful firewall without NAT.
>
> No, NAT is not a firewall. The stateful inspection that NAT depends on 
> is a firewall.
>
> You can do all of the exact same things without needing NAT. You just 
> get additional capabilities without NAT that you didn’t have with NAT 
> due to the limitations of shared addressing.
>
> You an do stateful inspection and reject unwanted packets without 
> having to mutilate the packet header in the process.
>
>
> Owen
>

You are completely correct in theory.

However, in IPv4 there is a generally true assumption that there are all 
these sorts of devices  that will be deployed in a somewhat secure 
fashion and not by virtue of any particular efforts on the part of their 
manufactures, because they are rarely deployed without a NAT in front of 
them simply due to address scarcity, where NAT becomes a feature of 
network functionality and not of network security.

The hope that there will be equivalent pervasiveness of a statefull 
deny-any layer in front of these classes of devices or that they will be 
deployed|developed with sufficient/equivalent security without that 
layer is not nearly as re-assuring.

Worse, with the assumption of NAT induced security in place its all too 
logical to predict and expect that these devices are woefully 
under-equipped to protect themselves in any way without it.

Best case scenario is that practically all SOHO v6 gateways default 
configuration is statefull deny-any. In which case all you can hope to 
get from theoretical E2E is less packet mangling.

(Packet mangling is a good test case for protocols who needlessly commit 
layering violations by embedding lower layer addressing directly or 
implicitly into their behavior, so NAT has actually been beneficial in 
this manner)

The security conscious are better off deploying these devices with IPv6 
turned off. Much less chance of them accidentally becoming individually 
responsible for their own protection due to any network changes that may 
not take their existence or particularly sensitive and vulnerable state 
into consideration.

Further, security track records as they are suggest that security will 
never become the prime focus or even more than an afterthought for the 
producers of these classes of devices.

We can all wish that were not the case but it would be naive to assume 
otherwise.

Joe

• Previous message (by thread): Redploying most of 127/8 as unicast public
• Next message (by thread): Redploying most of 127/8 as unicast public
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]