[LINK] www.ipv6.org.au/summit

Karl Auer kauer at biplane.com.au
Tue Sep 2 22:58:47 AEST 2008


On Tue, 2008-09-02 at 10:57 +0200, Kim Holburn wrote:
> I can't see how the cost of additional security by obscurity outweighs  
> any benefits.  As long as you don't rely on it solely.

For some instances of security through obscurity, the benefits may
outweigh the costs. If the costs are very low, the risk is very small,
there are other layers of security in place and the ease of maintaining
and monitoring the level of obscurity is high, go for it. In NAT's case,
and leaving aside the essential function of address multiplexing, the
costs outweigh the benefits. If NAT is not needed for address
multiplexing, we should not keep it just for it's address-hiding
properties.

> Very colourful but NAT routers give what you call packet filtering  
> which you have extolled the virtues of so what is the problem?

It's important to read stuff carefully. I'm really trying to write
accurately and precisely what I mean. There is nothing hidden between
the lines, and each word is important. So here is one more attempt:

NAT does three things. It multiplexes few public addresses into many
private addresses. As a side effect of that, NAT also hides internal
addresses. It also acts like a packet filter, effectively one that does
"allow established; block all else".

On the downside, NAT introduces a performance loss, destroys end-to-end
transparency, makes many protocols more complicated than they need to
be, makes creating new protocols harder than it needs to be, requires
the use of external rendezvous servers for many kinds of peer-to-peer
protocols, forces some protocols into tunnels, and hampers effective
troubleshooting of network problems. There are more, but those are the
main ones.

If we do not need to multiplex addresses, should we retain NAT? If we
say "yes" in spite of all those downsides, then it must be because we
regard either the address hiding property or the packet-filtering
property as outweighing those downsides. But the packet-filtering
property can be had far more simply by using an actual packet filter;
using NAT to do it is pointless overhead. So if we say "yes", it must be
because we see the address-hiding property *alone* as outweighing those
downsides.

I don't think it does. The downsides of NAT massively outweigh the
miniscule security benefit of obfuscating addresses.

> As I have said, I don't agree that NAT is worthless, nor packet  
> filtering.  I doubt whether either will go away when IPv6 is taken up.

Time will tell. Packet filtering certainly will not disappear. I have
never said that packet filtering is worthless, by the way, quite the
reverse.

> There are still the issues of resources and skilled staff that won't  
> go away, in fact will probably be even more of a problem with IPv6.

I don't understand your point here. The packet-filtering effect of NAT
could hardly be simpler. Even configuration steps like allowing a port
through or whatever are no more complicated than configuring port
forwarding.

> of network I think we will have to somehow build security into the  
> devices that run those networks.  For our own protection if nothing  
> else.

Of course we will! And we should go for something simple, reliable, fast
and secure. That is, not NAT.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: DD23 0DF3 2260 3060 7FEC 5CA8 1AF6 D9E3 CFEE 6B28





More information about the Link mailing list