[ipv6hackers] the end is near (or for IPv6: the beginning)
Wouter van Bommel
wouter at vanbommelonline.nl
Fri Jan 24 13:47:23 CET 2014
NAT is a terrible broken protocol. As my provider only gives me 1 public ip
address I am forced to use NAT on all my servers. This means that I have to
instruct my colleagues to user alternative ports of they would like to use
one of the non default servers.
This might be doable for tech interested people, but is a burden for c?o
type of people.
NAT also implies that I have to run a split brained dns, as internal ip
addresses for these server will be different then on the outside.
Would be glad if IPV6 is finally a reality, so that these kind of issues
are finally resolved for everybody (and not just the people with lot's of
historical ipv4 addresses)
P.S. The security of NAT lies in things like state tables. So a proper
configured forwarding firewall can use the same technique hence the same
security. As the default can be 'deny all incoming except related', which
is basically what NAT does.
On Fri, Jan 24, 2014 at 1:11 PM, Marco Ermini <marco.ermini at gmail.com>wrote:
> On 3 January 2014 16:50, Trevor Sullivan wrote:
> > I've tried to discuss the NAT issue with friends of mine before, and they
> > simply do not understand. NAT is not a security feature. Yes, you can get
> > some implicit "security" by using it, but why would you not simply
> > configure
> > your firewall correctly?
> Hi Trevor,
> if I may argue, I believe you don't understand because security is much
> more than just technology. This is the mistake that many people exclusively
> involved with the IT side of thing often do.
> "IT Security" encompass a very broad range of things, and "Security" even
> more. There is no single magic box or configuration that gives you
> "security". I would even dare to say, that "security" means different
> things to different people, companies and organisations. Therefore, you
> must first define "security" and "security feature" in your context, then
> you will decide if NAT is one or not.
> Things are always subtle and the cover sheet is too short, and depends from
> where you pull it. Security in any case is always an onion, stratifying
> different controls one over the other. People coming from a network
> administration state of mind will tend to look at NAT as an annoyance (you
> know, you don't see where your ICMP packets really come from, so it is
> really annoying). Security managers will see it as one added layer in a
> serie of controls and mitigations. Compliance managers and people working
> on LI (as well as dictators and censors...) will see it as the point in
> which they can log, inspect, check and filter.
> The most effective demonstration of the "usefulness" of NAT is its use by
> the Great Firewall. This alone should tell you how effective this can be.
> (of course we don't like it, I am only talking about the technical side.)
> As you also must admit, it adds a security mitigation in the fact that it
> hides the internal network infrastructure to a certain degree - beside
> allowing to keep using IPv4 for your customers for longer. It does nothing
> more than that, it is redundant on an IPv6 network and I would also say,
> people who would love to see IPv6 more widespread probably hates NAT
> because it is the major obstacle to its adoption. I also don't personally
> like it too much, but I must admit it has (or it can have) its role in a
> multi-layer defence.
> > Up until now, NAT has been a "security feature" for lazy people, who
> > want to take a few minutes to understand firewall configuration.
> It may be, or it may not. Just assuming this is always the case makes you
> very narrow minded.
> > Instead,
> > they waste their time dealing with NAT issues that they wouldn't have to
> > deal with if they would just accept that NAT is a hack.
> You are from USA, aren't you?
> Beside, I never had major NAT issues. NAT is as old as RFC 1918 (we are
> talking about year 1996).
> Marco Ermini
> root at human # mount -t life -o ro /dev/dna /genetic/research
> "Jesus saves... but Buddha makes incremental back-ups!"
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
More information about the Ipv6hackers