[arin-ppml] Set aside round deux
Joe Maimon
jmaimon at chl.com
Mon Aug 2 15:18:55 EDT 2010
Owen DeLong wrote:
> The fact that NAT is widespread does not mean we can't deploy
> IPv6 without introducing that damage to IPv6. NAT is not the poor
> man's firewall, just a case of ignorance on the part of the poor
> man. The poor man's firewall is and has long been stateful
> inspection with a default deny inbound policy for all traffic not
> matching an existing state table entry. That works with or
> without the address mangling of NAT. NAT, on the other hand,
> does not work without stateful inspection.
>
> NAT does cause problems even for the single-homed small
> environment, whether those environments are aware of the
> problems or not.
>
> Owen
>
I would like to address this specific point, oft repeated that NAPT's
stateful inspection protection is a byproduct and can easily be replaced
with a basic firewall turned on by default.
While certainly true from a technical viewpoint, I think this glosses
over a somewhat non technical practical reality and interaction between
protocols, vendors, firewalls, designers, users and administrators.
Without the ubiquity of NAPT, how long do you think it will be before
having a default deny inbound rule becomes non practical, or that UPNP
hole punching is a basic requirement to the extent that firewall are a
swiss cheese joke?
How many times as a NAT/Firewall admin on any size or class device have
you been asked to "open the firewall" for this or that protocol?
Do those requesters even understand the concept of flow
direction/initiation? The difference between permit rules and inbound
translation maps, the difference between bi-directional static NAT and
multiplexed NAPT or differing inside and outside ports? Have they even
tried using the application before blaming the "firewall"? Do they know
which ports and protocols are involved or whether the application can be
tuned to work properly without a specific inbound permit, or worse a
gigantic monster truck sized 16K dynamic port range hole? Yeah, I
thought so. Its you who is the bad guy, breaking their cute little
protocol/application. Now apply that to the residential market.
Protocol designers, users and administrators are not any less lazy than
the rest of us. Possibly more. NAT ubiquity have forced all but the die
hard idealists to avoid any use of cheap protocols tricks that prove
burdensome and unwieldy in not only a NAPT environment, but also in an
SPI environment, except as properly justified or required (one hopes).
That is a good thing in my opinion and I would hate to see the pendulum
swing the other way to the extent that cheap CPE which are not intended
to burden its user with actual operation of them can no longer use a
default deny inbound SPI.
Its much easier to tell someone turn off the firewall if you want my
protocol to work "just for testing" than to tell them to turn off NAPT.
In the former, the protocol will magically start to work and the
firewall will stay off. In the latter, nothing will work and NAT will be
turned back on. In a sense, this is the correct expansive definition of
the phrase "NAT fails close", where fail is the failure of protocols,
admins and users to adhere to proper security diligence.
Lets face it, requiring L4 and higher protocols to have knowledge of L3
detail is a layering violation and should be frowned upon by those who
believe layering violations are the source of all protocol evil.
So where does this leave me? I believe firmly that NAPT should become a
choice made by users, not a requirement for basic service as it is now,
nor a practical impossibility as IPv6 currently intends.
Joe
More information about the ARIN-PPML
mailing list