ietf
[Top] [All Lists]

RE: [BEHAVE] Can we have on NAT66 discussion?

2008-11-13 16:30:19
You are far too dogmatic in your assertion of what is a security control here. 
I do not think that there are many folk in the security area who would make 
such a direct contradiction. 
 
There might be dispute as to whether NAT is an effective security control, 
Steve Bellovin has written papers on that (which I consider less than 
conclusive) but NAT is certainly employed as a security control and is 
certainly effective against certain types of real world attack.
 
NAT is used to provide two types of security:
 
1) A lighweight, verifiable means of blocking inbound connections
2) A lightweight means of limiting the ability of external observers to map the 
internal structure of a network.
 
The first is interesting as the property that is provided by NAT that is not 
provided by a standard firewall is auditability and provability. A NAT design 
is failsafe, it is highly unlikely that a mistake in the NAT code will cause 
inboud connections to work.it takes effort to make it work. A firewall with no 
NAT component is not failsafe, if there are bugs packets can get through. There 
is no way for an independent auditor to determine if a black box is a firewall 
or a standard ethernet hub unless it is seen in the act of rejecting a packet.
 
The second is something that some folk dispute, but nevertheless is a real 
obstacle to certain types of (legitimate) investigation. The amount of effort 
and network access required to circumvent a NAT scheme is considerable and does 
not lend itself to simple automation. So what we have here is the ongoing 
dispute between the adherents of old style 'security perfectionists' who think 
that any security flaw renders a system ineffective and the folk like myself 
who have long argued that security is risk management (yes, even before that 
book came out).
 
 

________________________________

From: Eric Klein [mailto:ericlklein(_dot_)ipv6(_at_)gmail(_dot_)com]
Sent: Thu 11/13/2008 2:07 PM
To: Hallam-Baker, Phillip
Cc: Mark Townsley; Routing Research Group Mailing List; Behave WG; 
v6ops(_at_)ietf(_dot_)org; ietf(_at_)ietf(_dot_)org
Subject: Re: [BEHAVE] Can we have on NAT66 discussion?


Hi Phillip,


On Thu, Nov 13, 2008 at 5:06 PM, Hallam-Baker, Phillip 
<pbaker(_at_)verisign(_dot_)com> wrote:


        I beleive that the question would not arise If we had a coherent 
Internet architecture
         
        The idea that an application can or should care that the IP address of 
a packet is constant from source to destination is plain bonkers. It was no an 
assumption in the original Internet architecture and should not be an 
assumption that any application should rely on.
         
        If you want to effect a transition from IPv4 to IPv6, the only way to 
do that effectively is to design a protocol stack in which the applications 
simply do not care whether their packets are routed over IPv4, IPv6 or carrier 
pidgeon.
         

Agreed
 

        
        NAT66 is in fact a security requirement in many applications and in 
others it is a compliance requirement. Stampy feet protests that the idea is 
profane don't change those facts.
         

NAT is not and never was a security feature, it was a way to use fewer numbers 
because they were hard to get. Please stop the falacy that NAT in any way is 
related to security, otherwise we would not need firewalls.
 

        
        I know that there are some people in the security area who claim 
otherwise but they have been wrong on many issues in the past and they are 
likely wrong on this one. Let us consider for a minute the list of real world 
security measures that the IETF has successfully deployed, well there is DKIM 
(sort of) and there is the post-facto cleanup of SSL after it was successful 
and the post facto cleanup of X.509 after that was successful. IPSEC is used as 
a VPN solution despite being unsuited for the role as originally designed. 
         
        On the negative side the same consensus that opposes NAT66 has in the 
past opposed firewalls, the single most widely used network security control. 
It has also promoted the idea of algorithm proliferation and negotiation as a 
good thing (these days we consider it bad). It has promoted the idea that the 
most important feature in a security protocol is that it be absolutely secure 
against theoretical attacks rather than easy enough to deploy and use that 
people actually use it.

 
This is not quite true, the ones who have been argueing against it have 
constantly asked why we need it. But we still do not know why we need NAT, no 
one has done the gap analysis.

        
         
        And yes, I have been guilty of many of the same mistakes. But unlike 
some folk I am not about to compound that mistake by telling the folk who want 
NAT66 that they should visit a re-education camp and unlearn their heretical 
thoughts. 
         
        The only reason NAT is bad in practice is because some people were so 
opposed to the concept that they decided it would be a good thing to allow 
designs that were purposefully designed to be NAT-unfriendly. 
         
         
        If we don't want to have these discussions on the IETF list we should 
have a separate architecture list. 
         
        NAT66 is a reasonable protocol proposal to make. If BEHAVE does not 
like the idea let the advocates start a new group.

 
This is why I am proposing a wider audience make a decission rather than having 
several groups making solutions without understanding the need.

        

________________________________

        From: ietf-bounces(_at_)ietf(_dot_)org on behalf of Mark Townsley
        Sent: Thu 11/13/2008 9:10 AM
        To: Eric Klein
        Cc: Routing Research Group Mailing List; Behave WG; 
v6ops(_at_)ietf(_dot_)org; ietf(_at_)ietf(_dot_)org
        Subject: Re: [BEHAVE] Can we have on NAT66 discussion?
        
        

        
        Eric Klein wrote:
        > Mark,
        > 
        > I agree with the sentiment, the problem is that the 5 different groups
        > are doing different things that all relate back to NAT in v6 (rather
        > than just coexistence) each under their own charter.
        > 
        > I have had suggestions that I bring this to ietf or inter-area mailing
        > lists for general consensus on a need and IETF overall position prior
        > to defining a solution.
        > Behave seems a little limited in scope for the decision about do we or
        > don't we want to allow any form of native mode NAT into v6.
        I agree, and it is not behave's place to make that decision at this
        time. I had originally proposed that this be discussed in int-area (if
        nothing else because behave's plate is rather full), but some folks
        pointed out that some modes may have affects on applications and that
        behave was best able to determine that, particularly within context of
        the other NATxy work. I'm looking forward to that assessment. So for now
        this should remain discussion to understand the problem space and
        potential solution space better, not a final referendum on whether or
        not the IETF is going to charter work in or otherwise endorse NAT66 in
        any manner.
        
        Thanks,
        
        - Mark
        > 
        > Eric
        > On Thu, Nov 13, 2008 at 12:09 PM, Mark Townsley 
<townsley(_at_)cisco(_dot_)com
        > <mailto:townsley(_at_)cisco(_dot_)com>> wrote:
        >
        >
        >     I would prefer not to have the same discussion again and again in
        >     multiple places. Let's just try and stick to behave for the
        >     moment, though at some point if the work continues it would need
        >     to be passed around elsewhere. We are not chartering the work one
        >     way or another at the moment, for now this is merely "discussion"
        >     of the topic.
        >
        >     - Mark
        >
        >
        >
        >
        >
        >     Margaret Wasserman wrote:
        >
        >
        >         Hi Eric,
        >
        >         According to the ADs and WG chairs, the correct forum for the
        >         NAT66 discussion is the BEHAVE WG.  So, let's discuss it 
there.
        >
        >         Margaret
        >
        >         On Nov 12, 2008, at 9:44 AM, 
EricLKlein(_at_)softhome(_dot_)net
        >         <mailto:EricLKlein(_at_)softhome(_dot_)net> wrote:
        >
        >             Cross posted to several lists
        >             Can we keep the NAT66 discussion to less than WGs at a 
time?
        >             I am trying to keep up with multiple threads on this and
        >             trying to explain that we do not have a valid requirement
        >             for NAT66 defined on any of the mailing lists (v6OPS,
        >             BEHAVE, Softwires, RRG, and now v6).
        >             Le's get this to one group (maybe we need a new mailing
        >             list just for NAT66 discussions, but this is getting out
        >             of hand.
        >             Until now the simple response is that "the IETF does not
        >             support NAT in the v6 architecture." If this needs
        >             changing lets do it right with proper gap analysis and
        >             needs assessment, and then seeing if there is a solution
        >             (several have been proposed that are not NAT) or if we
        >             need to create one, and if those fail then see about
        >             changing the architecture of IPv6.
        >             Eric _______________________________________________
        >             Behave mailing list
        >             Behave(_at_)ietf(_dot_)org 
<mailto:Behave(_at_)ietf(_dot_)org>
        >             https://www.ietf.org/mailman/listinfo/behave
        >
        >
        >         _______________________________________________
        >         Behave mailing list
        >         Behave(_at_)ietf(_dot_)org <mailto:Behave(_at_)ietf(_dot_)org>
        >         https://www.ietf.org/mailman/listinfo/behave
        >
        >
        >     _______________________________________________
        >     Behave mailing list
        >     Behave(_at_)ietf(_dot_)org <mailto:Behave(_at_)ietf(_dot_)org>
        >     https://www.ietf.org/mailman/listinfo/behave
        >
        >
        > 
------------------------------------------------------------------------
        >
        > _______________________________________________
        > Behave mailing list
        > Behave(_at_)ietf(_dot_)org
        > https://www.ietf.org/mailman/listinfo/behave
        >  
        
        
        _______________________________________________
        Ietf mailing list
        Ietf(_at_)ietf(_dot_)org
        https://www.ietf.org/mailman/listinfo/ietf
        

        

        


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf