Comments below inline with DL>
On Behalf Of Eric Klein
Sent: Thursday, November 13, 2008 11:07 AM
NAT66 is in fact a security requirement in many
applications and in others it is a compliance requirement. Stampy feet
protests that the idea is profane don't change those facts.
NAT is not and never was a security feature, it was a way to use
fewer numbers because they were hard to get. Please stop the falacy that
NAT in any way is related to security, otherwise we would not need
DL> Port/Overload NAT for IPv4 (NAT:P) has security benefits in
that it requires explicit configuration to allow for inbound unsolicited
transport connections (via port forwarding) to 'inside' hosts. This
mimics many of the default policies on most firewalls, hence the
confusion. Note that can also cause security issues elsewhere in the
network. The loss of information of the identity of the source host can
cause address filtering in the network to effect other devices than just
the one intended.
DL> I'm wondering if this is written down somewhere, because
both of the above points seem to be argued over and over again, without
people being genererally educated about them.
I know that there are some people in the security area
who claim otherwise but they have been wrong on many issues in the past
and they are likely wrong on this one. Let us consider for a minute the
list of real world security measures that the IETF has successfully
deployed, well there is DKIM (sort of) and there is the post-facto
cleanup of SSL after it was successful and the post facto cleanup of
X.509 after that was successful. IPSEC is used as a VPN solution despite
being unsuited for the role as originally designed.
On the negative side the same consensus that opposes
NAT66 has in the past opposed firewalls, the single most widely used
network security control. It has also promoted the idea of algorithm
proliferation and negotiation as a good thing (these days we consider it
bad). It has promoted the idea that the most important feature in a
security protocol is that it be absolutely secure against theoretical
attacks rather than easy enough to deploy and use that people actually
This is not quite true, the ones who have been argueing against
it have constantly asked why we need it. But we still do not know why we
need NAT, no one has done the gap analysis.
DL> I would argue that stateless filtering (e.g. access control
lists) are even more common than firewalls and are the single most
widely used network security control. But the main point is that
firewalls ( statefull (flow based) filtering that usually have default
policies), are orthogonal to address translation. They just happen to
occur at the same point in the topology in many networks.
DL> But I think Eric you have a good point about documenting the
relationship between a privately addressed IPv4 site and a publicly
addresses IPv6 site. We should publicly document the differences, it
would likely make or break the case for NAT66.
Ietf mailing list