North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security gain from NAT

  • From: Mark Smith
  • Date: Wed Jun 06 13:13:45 2007

On Wed, 6 Jun 2007 09:45:01 -0700
David Conrad <[email protected]> wrote:

> On Jun 6, 2007, at 8:59 AM, Stephen Sprunk wrote:
> > The thing is, with IPv6 there's no need to do NAT.
> Changing providers without renumbering your entire infrastructure.
> Multi-homing without having to know or participate in BGP games.
> (yes, the current PI-for-everybody allocation mindset would address  
> the first, however I have to admit I find the idea of every small  
> enterprise on the planet playing BGP games a bit ... disconcerting)
> > However, NAT in v6 is not necessary, and it's still evil.
> Even ignoring the two above, NAT will be a fact of life as long as  
> people who are only able to obtain IPv6 addresses and need/want to  
> communicate with the (overwhelmingly IPv4 for the foreseeable future)  
> Internet.  Might as well get used to it.  I for one welcome our new  
> NAT overlords...

For all those people who think IPv4 NAT is quite fine, I challenge them
to submit RFCs to the IETF that resolve, without creating worse
or more even more complicated problems, the list of problems here. All
the IPv6 RFCs do ... :

I've spent a number of years wondering why people seem to like NAT
(don't bother trying to convince me, my burnt stubs of fingers have
convinced me it's evil), and the only feasible conclusion I can come to
is that it is a chance to live out the "invisible man" fantasy they had
in their childhood. We've all had that fantasy I think, and we'd all
like to live it out ...

In IPv6, if you want to have a globally reachable service, you bind it
to a global address, and you protect the rest of the services/layer 4
protocol endpoints on that host that use global addresses via an SI
firewall, preferably on the host itself.

If you don't want to have a service globally reachable, then you don't
bind it to a global address - bind the service only to the to the ULA
addresses on the host. Then it'll be globally unreachable regardless of
whether there is a SI firewall active or not (although if people start
convincing upstreams and peers to accept their ULA routes external to
their own private network ... well, they made that choice, they'll have
to live with the security consequences)


        "Sheep are slow and tasty, and therefore must remain constantly
                                   - Bruce Schneier, "Beyond Fear"