[LINK] www.ipv6.org.au/summit

Kim Holburn kim.holburn at gmail.com
Sun Aug 31 18:59:07 AEST 2008


On 2008/Aug/31, at 10:38 AM, Karl Auer wrote:

> On Sun, 2008-08-31 at 09:37 +0200, Kim Holburn wrote:
>> Karl Auer <kauer at biplane.com.au>  wrote:
>>>> Perhaps my point would be better stated as "NAT provides no  
>>>> security
>>>> benefit that cannot be obtained from a simple packet filter".
>>
>> I don't agree with this really.  A NAT router provides quite good
>> security even if installed by an idiot.  A simple packet filter is
>> considerably harder to install, requires some knowledge of the  
>> network
>> topology
>
> Argh!
>
> A NAT (as now provided in a typical bit of CPE and not counting any
> additional packet filtering features that might be in the box)
> essentially provides a packet filter that says "allow established,  
> block
> everything else".

Not true.  A packet comes in saying source (internet IP:port 80)  
(target IP of NAT box: port 3300).  The router has to know which  
private host to route that to.  It must have some state information to  
do that.

> This is extremely simple, one size fits all, and it can easily be
> pre-packaged with any CPE. In fact it already is - it's a side- 
> effect of
> NAT.
>
> Compared to what CPE manufacturers already demand of the home user -
> port forwarding and DMZ configurations and what-all else - turning  
> such
> a filter on and off would be a doddle. Even configuring exceptions  
> would
> certainly be no more difficult than configuring port forwarding. 99%  
> of
> customers would never have to look at it anyway.
>
>> and uses public IP numbers which are not cheap for
>> consumers.
>
> Well - yes! This whole discussion started with the observation that  
> IPv6
> made NAT obsolete.

There are also privacy considerations here.  With a NAT router you are  
not advertising what's on your network to even your own ISP.

> With IPv6 you can dump NAT and good riddance.
> Unfortunately with dual stack you'll still need it for your expensive,
> scarce IPv4 addresses.
>
>> A simple packet filter gives away all sorts of info.
>
> Er, not really, no. In fact the simpler it is the less info it gives
> out. You may be referring to whether it returns ICMP messages?  
> Otherwise
> I can't think what you might mean.

A simple packet filter lets someone on the other side of the world  
know and target your (let's say) fridge with a public IP.  There is no  
way public router will route a private address, so no way an external  
machine can target your fridge.

>>  It may be possible to flood it in such a way as to
>> allow access to one or more machines behind it.  A NAT router does  
>> not
>> allow this because there simply is no route in.
>
> It's just software; if a packet filter can fail under load so can NAT.
>
> I'm supposing now, but it seems very unlikely to me that a packet  
> filter
> - especially a simple packet filter - would fail under load. NAT
> processing is way more complex; I'd expect NAT to fail first. Also,  
> the
> likelihood of a failure mode that forwards MORE packets than it should
> seems even more remote.

Yes but if a NAT router fails, it's still not going to let packets in  
from a public to a private address space.  A home router with a  
stateless packet filter is orders of magnitude dumber.  We're talking  
about a consumer device which needs a reasonably knowledgeable  
installer.  There be dangerous shoals indeed!

> If there is "simply no route in" with NAT, then there's "simply no  
> route
> in" with a packet filter. It's all just bits.
>
>> today's internet.  For instance the ability for any host on the
>> internet to contact any other host at full speed leads to serious
>> security issues.  Pushing NAT up the chain is bad but it is a  
>> response
>> to some of the serious security problems with today's internet.
>
> The ability for a sharp knife to cut things makes sharp knives
> dangerous. Let's blunt all knives!

In an ideal world all operating systems would protect themselves  
against viruses and network intrusions out of the box.  A good  
multilevel security approach.  Unfortunately in the real world he  
majority of them don't.  They run windows for a start.

> The ability for any host to talk at high speed to any other host is  
> the
> *whole point* of the Internet.

Many, many machines are behind various kinds of firewalls.  Firewalls  
that protect their internal networks in a myriad of ways.  How is this  
different to a world of NATs?  Just because you have an idealogical  
preference for an open internet (which I have in many ways) doesn't  
mean that it's currently practical or that what we have now is like  
that.

>
>
> Regards, K.
>
> PS: I'd like to hear more specifics about these "serious security
> issues". Why they are they the fault of the network protocol? How   
> does
> NAT ameliorate them? The phrase as you have used it smells a bit  
> like a
> George W Bush speech to me, full of unspecified, unnamed dangers...  
> FUD,
> in other words.


I'll try and remember it.

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961






More information about the Link mailing list