Hi Darrel,
Comments below
On Thu, Nov 13, 2008 at 9:30 PM, Darrel Lewis (darlewis)
<darlewis(_at_)cisco(_dot_)com
wrote:
Comments below inline with DL>
NAT66 is in fact a security requirement in many applications and in others
it is a compliance requirement. Stampy feet protests that the idea is
profane don't change those facts.
NAT is not and never was a security feature, it was a way to use fewer
numbers because they were hard to get. Please stop the falacy that NAT in
any way is related to security, otherwise we would not need firewalls.
DL> Port/Overload NAT for IPv4 (NAT:P) has security benefits in that it
requires explicit configuration to allow for inbound unsolicited transport
connections (via port forwarding) to 'inside' hosts. This mimics many of
the default policies on most firewalls, hence the confusion. Note that can
also cause security issues elsewhere in the network. The loss of
information of the identity of the source host can cause address filtering
in the network to effect other devices than just the one intended.
If you are keeping the source IP address the full length of the session,
then there is no problem of loosing hte identiy of the source host, thus
there should be no problem with address filtering - this is the point of not
breaking the end-to-end connectivity that is built into v6. This has nothing
to do with ports, so that requirement is not relevant as far as I can see.
DL> I'm wondering if this is written down somewhere, because both of
the above points seem to be argued over and over again, without people being
genererally educated about them.
I know that there are some people in the security area who claim
otherwise but they have been wrong on many issues in the past and they are
likely wrong on this one. Let us consider for a minute the list of real
world security measures that the IETF has successfully deployed, well there
is DKIM (sort of) and there is the post-facto cleanup of SSL after it was
successful and the post facto cleanup of X.509 after that was successful.
IPSEC is used as a VPN solution despite being unsuited for the role as
originally designed.
On the negative side the same consensus that opposes NAT66 has in the past
opposed firewalls, the single most widely used network security control. It
has also promoted the idea of algorithm proliferation and negotiation as a
good thing (these days we consider it bad). It has promoted the idea that
the most important feature in a security protocol is that it be absolutely
secure against theoretical attacks rather than easy enough to deploy and use
that people actually use it.
This is not quite true, the ones who have been argueing against it have
constantly asked why we need it. But we still do not know why we need NAT,
no one has done the gap analysis.
DL> I would argue that stateless filtering (e.g. access control lists) are
even more common than firewalls and are the single most widely used network
security control. But the main point is that firewalls ( statefull (flow
based) filtering that usually have default policies), are orthogonal to
address translation. They just happen to occur at the same point in the
topology in many networks.
DL> But I think Eric you have a good point about documenting the
relationship between a privately addressed IPv4 site and a publicly
addresses IPv6 site. We should publicly document the differences, it would
likely make or break the case for NAT66.
Darrel, this is exactly my point. I do not want to predujice the final
solution, but until we know what we want to fix just throwing NAT at it is
not good enough. If there is a real need that requires some or all of the
old NAT44 then I will suppor it - but I want to know why we need it over
anyother solution first.
Eric
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf