ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [BEHAVE] Can we have on NAT66 discussion?

2008-11-14 02:59:30
from [Rémi Denis-Courmont] [Permanent Link] 
On Thursday 13 November 2008 21:30:39 ext Darrel Lewis (darlewis), you wrote:

      DL> Port/Overload NAT for IPv4 (NAT:P) has security benefits in
that it requires explicit configuration to allow for inbound unsolicited
transport connections (via port forwarding) to 'inside' hosts.  This
mimics many of the default policies on most firewalls, hence the
confusion.  Note that can also cause security issues elsewhere in the
network.  The loss of information of the identity of the source host can
cause address filtering in the network to effect other devices than just
the one intended.


That's not _quite_ true. The truth is that many boxes that are NATs also are 
firewalls.

A full cone NAT, with UPnP IGD (or NAT-PMP) is barely providing any security 
protection to the host. And many NATs have the so-called "DMZ" function 
whereby they'll forward all incoming traffic to a specified internal host.

Besides, if you don't have a public IP address, you are not addressable from 
the Internet. Whether you have a NAT, a set of proxies or no connection, is 
irrelevant - the lack of addressability is your "protection", not the NAT.

If you have public space internally, you can also NATs outbound, and not 
inbound. Then you NAT provides obviously no protection at all. A firewall 
would.


      DL> I'm wondering if this is written down somewhere, because
both of the above points seem to be argued over and over again, without
people being genererally educated about them.


We have the IPv6 security RFC. We have the IPv6 simple CPE security and the 
NAT security I-Ds.


      DL> I would argue that stateless filtering (e.g. access control
lists) are even more common than firewalls and are the single most
widely used network security control.  But the main point is that
firewalls ( statefull (flow based) filtering that usually have default
policies), are orthogonal to address translation.  They just happen to
occur at the same point in the topology in many networks.


Yes. And that's the whole point: the firewall function is providing some kind 
of protection. Not the NAT function.

-- 
Rémi Denis-Courmont
Maemo Software, Nokia Devices R&D
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SMTP+TLS to MXs, was Re: Comments on Draft IRTF ASRG DNSBL - 07, Mark Andrews
Next by Date:  RE: uncooperative DNSBLs, IETF misinformation (was: several messages), michael.dillon
Previous by Thread:  RE: [BEHAVE] Can we have on NAT66 discussion?, Darrel Lewis (darlewis)
Next by Thread:  Re: [BEHAVE] Can we have on NAT66 discussion?, Eric Klein
Indexes:  [Date] [Thread] [Top] [All Lists]