Redploying most of 127/8 as unicast public

Sun Nov 21 22:09:29 UTC 2021

On Sat, Nov 20, 2021 at 7:16 PM Owen DeLong via NANOG <nanog at nanog.org> wrote:
> This is a common fallacy… The real concept here isn’t “universal reachability”, but universal transparent addressing. Policy then decides about reachability.
>
> Think stateful firewall without NAT.
>
> If you want to allow the incoming connection, you simply permit it rather than having to set up some sort of convoluted port forward.
>
> You can allow open access to a hardened host entirely, or you can open specific ports.
>
> What you don’t have to do is carefully map a limited number of external ports to each be forwarded to a particular port on a particular
> internal destination host because you aren’t recycling the one and only public address that all the incoming packets have to first land
> on, each host has its own address that you can simply enable.
>
> So again, how is port forwarding better than this? (it isn’t).

Hi Owen,

This has been hashed and rehashed on this group about a gajillion
times but for the sake of those who are new:

Firewalls are programmed by people. People make mistakes. Lots of
mistakes. 1:1 stateful firewalls and 1:many stateful firewalls (NAT)
behave differently in the face of those mistakes. When 1:1 stateful
firewalls are mistakenly told to pass all traffic they faithfully do
so exposing unhardened hosts directly to the Internet. When 1:many
stateful firewalls (NAT) are mistakenly told to pass all traffic they
can't do so. They don't have enough information to decide which
interior host to send a packet to so they simply break.

One fails as a security perimeter breach. The other fails as a system
down. Pick which security posture you prefer but they're very much not
the same. A knocked over fence versus a lost padlock key and well into
the zombie apocalypse.

Regards,
Bill Herrin

-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/