[ipv6hackers] the end is near (or for IPv6: the beginning)

Marco Ermini marco.ermini at gmail.com
Fri Jan 24 13:11:53 CET 2014

On 3 January 2014 16:50, Trevor Sullivan wrote:

> I've tried to discuss the NAT issue with friends of mine before, and they
> simply do not understand. NAT is not a security feature. Yes, you can get
> some implicit "security" by using it, but why would you not simply
> configure
> your firewall correctly?
Hi Trevor,

if I may argue, I believe you don't understand because security is much
more than just technology. This is the mistake that many people exclusively
involved with the IT side of thing often do.

"IT Security" encompass a very broad range of things, and "Security" even
more. There is no single magic box or configuration that gives you
"security". I would even dare to say, that "security" means different
things to different people, companies and organisations. Therefore, you
must first define "security" and "security feature" in your context, then
you will decide if NAT is one or not.

Things are always subtle and the cover sheet is too short, and depends from
where you pull it. Security in any case is always an onion, stratifying
different controls one over the other. People coming from a network
administration state of mind will tend to look at NAT as an annoyance (you
know, you don't see where your ICMP packets really come from, so it is
really annoying). Security managers will see it as one added layer in a
serie of controls and mitigations. Compliance managers and people working
on LI (as well as dictators and censors...) will see it as the point in
which they can log, inspect, check and filter.

The most effective demonstration of the "usefulness" of NAT is its use by
the Great Firewall. This alone should tell you how effective this can be.
(of course we don't like it, I am only talking about the technical side.)

As you also must admit, it adds a security mitigation in the fact that it
hides the internal network infrastructure to a certain degree - beside
allowing to keep using IPv4 for your customers for longer. It does nothing
more than that, it is redundant on an IPv6 network and I would also say,
people who would love to see IPv6 more widespread probably hates NAT
because it is the major obstacle to its adoption. I also don't personally
like it too much, but I must admit it has (or it can have) its role in a
multi-layer defence.

> Up until now, NAT has been a "security feature" for lazy people, who don't
> want to take a few minutes to understand firewall configuration.

It may be, or it may not. Just assuming this is always the case makes you
very narrow minded.

> Instead,
> they waste their time dealing with NAT issues that they wouldn't have to
> deal with if they would just accept that NAT is a hack.

You are from USA, aren't you?

Beside, I never had major NAT issues. NAT is as old as RFC 1918 (we are
talking about year 1996).

Marco Ermini
root at human # mount -t life -o ro /dev/dna /genetic/research
"Jesus saves... but Buddha makes incremental back-ups!"

More information about the Ipv6hackers mailing list