ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt

2007-07-02 18:50:48
from [Mark Andrews] [Permanent Link] 


As the administrator of several small networks, it is quite simple. By
re-writing the address, the NAT is a defacto default deny. I have a lot
more trust in the simplicity of a basic NAT in a consumer firewall then I
do in any firewall which has to examine each packet for conformance to
complex policy rules.


        The re-writing of the address has nothing to do with the
        security benefit of the box.  Looking the incoming packet
        up in a state table and forwarding (with re-write) the
        packet if a match is found otherwise dropping / icmping it
        is what provides the security.

        Otherwise I could just loose source route around the NAT box.

        It is much better to have a box that is designed to provide
        security than it is to have a box that provides security
        as a side effect.  I'm sure you will find that there are
        NAT boxes that you can use the loose source route trick to
        bypass any perceived security benefits.  NAT boxes have
        different design goals to firewalls.  They are designed to
        translate addreses.  LSR is also designed to translate
        addreses.  LSR and NAT are complementry technologies.  One
        is end initiated the other is done in the middle of the
        network.


But, this misses the point I see in Phillips discussion... I read his
ultimate proposal as:
  a. Stop bashing NAT, it provides value in the current network and
     has prevented a total meltdown which would have happened if every
     early OS were directly attached to the internet


        People arn't bashing NAT.  They are saying that NAT is not
        a appropriate for solution in a IPv6 world.  It adds a lot
        more complexity than just a stateful firewall.


  b. REPLACE NAT with a default deny infrastructure ... more than
     just a single FW choke point.

On Mon, 2 Jul 2007, Melinda Shore wrote:


On 7/2/07 11:14 AM, "Hallam-Baker, Phillip" 
<pbaker(_at_)verisign(_dot_)com> wrote:

There is no other device that can provide me with a lightweight firewall 

for

$50.


Of course there is - the same device that's providing the NAT.

NAT by itself is intrinsically policy-free, although it implements
policy as a side-effect.  I'm unclear on why you think that a
default-deny policy is better implemented on a NAT than on a
firewall.



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews(_at_)isc(_dot_)org

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, David Morris
Next by Date:  RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
Previous by Thread:  Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, David Morris
Next by Thread:  Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, David Conrad
Indexes:  [Date] [Thread] [Top] [All Lists]