|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: [arin-announce] IPv4 Address Space (fwd)
Life would be much simpler without NAT howver there are non-computer
devices which use the internet to get updates for their firmware that most
of us would prefer not to be globally reachable due to the human error
factor i.e. "Oops forgot a rule to protect X".
The radar on your cruise ship uses an IP network to communicate with the
chartplotter, GPS, depthsounder do you really want _this_ gear globally
reachable via the internet?. Remember if it's globally reachable it is
subject to compromise.
A good example of this is building control systems which get firmware
updates via FTP!!!! from their maker. Usually there is no manual system
for updating them offline and allowing them to be disconnected from the
internet as in my opinion they _should_ be.
NAT is not security just look what you can do with sFlow to identify
machines behind a NAT. NAT is useful for machines which need to
periodically make a connection to perform some function involving the
network.
This class of devices should not have a globally routable address
because in many cases security on them is less than an afterthought (short
fixed passwords no support for secure protocols, etc)
The other case as pointed out by another poster is overlapping networks
which need NAT until a renumbering can be accomplished.
Scott C. McGrath
On Wed, 29 Oct 2003, Miquel van Smoorenburg wrote:
>
> In article <[email protected]ard.edu>,
> Scott McGrath <[email protected]> wrote:
> >And sometimes you use NAT because you really do not want the NAT'ed device
> >to be globally addressible but it needs to have a link to the outside to
> >download updates. Instrument controllers et.al.
>
> I don't understand. What is the difference between a /24 internal
> NATted network, and a /64 internal IPv6 network that is firewalled
> off: only paclets to the outside allowed, and packets destined for
> the inside need to have a traffic flow associated with it.
>
> As I see it, NAT is just a stateful firewall of sorts. A broken one,
> so why not use a non-broken solution ?
>
> We can only hope that IPv6 capable CPE devices have that sort
> of stateful firewalling turned on by default. Or start educating
> the vendors of these el-cheopo CPE devices so that they will
> all have that kind of firewalling enabled before IPv6 becomes
> mainstream.
>
> Mike.
>
|