[arin-ppml] IPv6 Non-connected networks

William Herrin bill at herrin.us
Wed Mar 24 17:49:34 EDT 2010 

On Wed, Mar 24, 2010 at 4:25 PM, Owen DeLong <owen at delong.com> wrote:
> On Mar 24, 2010, at 1:03 PM, William Herrin wrote:
>> A NAT firewall is a door with a pneumatic closer, a prox card reader
>> and a pin code. This latter is less vulnerable to attack: stealing or
>> duplicating the prox card is as hard or harder than picking a lock and
>> even once you have the card, you still need the matching pin code for
>> entry.
>
> No.  A NAT firewall is a door with a lock and a deadbolt at best unless
> rules must be expressed in terms of entry/exit zone in addition to
> source/destination address.

Owen,

Believe it or not, I picked the door analogies deliberately.

Adding a door with a key is like adding a firewall. You can no walk
packets freely in and out of the network.

The addition of a "pneumatic closer" is consistent with any stateful
firewall. Unlike a basic packet filter, the stateful firewall pulls
the door closed behind the permitted transport sessions, denying other
packets.

Adding a pin pad is consistent with adding any form of NAT. A mistake
which causes bare routing or any subset of it has to somehow also use
the right translation code.

Switching from a key to a prox card is consistent with
address-overloaded NAT specifically. Just as the prox card facilitates
maintaining physical security a little better than keeping track of
metal keys, address overloading saves you from a few more oopses that
would cause mere nat to accept and translate connections where the
single-to-many nature of address overloading can at worst expose a
single host on a given port.

So I have to give you a FAIL. Adding address-overloaded NAT is
considerably more than adding a deadbolt.


>> And I will suggest that for any given firewall configuration, the
>> otherwise-identical configuration that also does NAT has implemented
>> stronger security.
>
> Nope... I provided an example earlier where NAT actually reduced security.

No, you provided an example where you boldly but mistakenly claimed
that NAT reduced security.


On Wed, Mar 24, 2010 at 4:47 PM, Michael K. Smith - Adhost
<mksmith at adhost.com> wrote:
>The point is that proving NAT is valuable based solely
>upon its perceived benefits for inbound traffic doesn't address
>the issue with all its complexities.

Hi Mike,

No argument.


> Actually, RFC 1631 says that NAT is for addressing
>address conservation specifically.

RFC 1631 spoke to the then mostly theoretical concept of NAT as
discussed inside the IETF circa 1993-4. The basic idea was a
one-to-one mapping of internal to external addresses. Only those very
few internal hosts who needed to talk to the Internet would claim an
external address and the external address space was flat, requiring no
per-lan reserve slack and no subnet-oriented reserved IPs.

In other words, it was almost exactly nothing like modern
address-overloaded NAT as found in any commodity "DSL router."

As modern NAT evolved out of transparent TCP proxies (which had
evolved from the bastion host proxy firewalls), there were a number of
folks who complained it should be called PAT (port address
translation) because it wasn't really NAT. In a sense, they're
right... the NAT name was hijacked by the new, vastly more popular
process even though it bore only a passing resemblance to the old.

My point is: RFC 1631 describes an obsolete process that has limited
bearing here.


>>> Apparently NAT is religion.
>> I've seen that before too but I don't see it here.
> How about a topic that engenders passionate debate.

Hah! I have to give you that one.

-Bill


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

More information about the ARIN-PPML mailing list