ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt

2007-07-02 07:21:54
from [Jun-ichiro itojun Hagino] [Permanent Link] 
Its not exactly a surprise, folk seem to place a higher premium on
shooting NAT than anything else. Meanwhile the vast majority of
residential broadband access is behind NAT.

And from a security point I want to see as much NAT as possible. Without
NAT we would be in a much worse situation security wise than we are
today. NAT is a blunt instrument but it shuts down inbound server
connects. And that is such a good thing from the point of view of
stopping propagation of network worms.

(snip)

        a few points.  IPv6 technology really needs to be demystified.

        you do not have to rewrite IP address to ensure that there's no
        inbound connections.  you just have to have a packet filter which
        watches/drops TCP SYN or whatever alike.  if you do not have enough
        address space to serve your enterprise, it is a good reason to use
        IPv6 :-)

        even if you have NAT, or any middle system which rewrites IP address/
        port number, or RFC3041 trick in your end system, your privacy is
        leaked by the use of HTTP cookie and OS fingerprinting.  if you do not
        use HTTP cookies, you cannot buy things at Amazon.  if you have RFC3041
        and other tricky systems, your system will have higher likelyhood of
        having implementation bugs (violation of KISS principle).

        even if you stop all inbound connections, malicious parties which
        controls HTTP/whatever servers can inject your end node any kind of
        crufted TCP options, which might cause buffer overflow (DoS/privilege
        user hijacking).  the only solution (internet-wise) to this is to have
        TCP relaying proxies like TIS firewall toolkit/Gauntlet.  even skype
        cannot go across TCP relays.

        spam, phishing and botnet are independent from presense/absense of NAT.
        OSes have to be secured by default, that's all.  heavy use of firewall/
        NAT have propagated "false sense of security" inside enterprise
        network, and therefore, many of end systems within enterprise are very
        vulnerable to attacks.  the most common attack vector these days are
        laptops owned by people like IETFers (goes in and out of enterprise)
        or VPN-connected laptops, which carry worms.  so, many people purchase
        end node firewall systems ("fire suit" in the old terminology), but,
        if your end node operating systems are secure by default, you do not
        need those end node firewall systems and/or keep upgrading signature
        files.

        http://www.openbsd.org/papers/asiabsdcon07-network_randomness/index.html

itojun

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
Next by Date:  RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
Previous by Thread:  Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
Next by Thread:  RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]