[arin-announce] IPv4 Address Space (fwd)

In article <cistron.Pine.LNX.4.44.0310291228200.29539-100000@login1.fas.harvard.edu>,

And sometimes you use NAT because you really do not want the NAT'ed device
to be globally addressible but it needs to have a link to the outside to
download updates. Instrument controllers et.al.

I don't understand. What is the difference between a /24 internal
NATted network, and a /64 internal IPv6 network that is firewalled
off: only paclets to the outside allowed, and packets destined for
the inside need to have a traffic flow associated with it.

As I see it, NAT is just a stateful firewall of sorts. A broken one,
so why not use a non-broken solution ?

We can only hope that IPv6 capable CPE devices have that sort
of stateful firewalling turned on by default. Or start educating
the vendors of these el-cheopo CPE devices so that they will
all have that kind of firewalling enabled before IPv6 becomes
mainstream.

Mike.

Life would be much simpler without NAT howver there are non-computer
devices which use the internet to get updates for their firmware that most
of us would prefer not to be globally reachable due to the human error
factor i.e. "Oops forgot a rule to protect X".

The radar on your cruise ship uses an IP network to communicate with the
chartplotter, GPS, depthsounder do you really want _this_ gear globally
reachable via the internet?. Remember if it's globally reachable it is
subject to compromise.

A good example of this is building control systems which get firmware
updates via FTP!!!! from their maker. Usually there is no manual system
for updating them offline and allowing them to be disconnected from the
internet as in my opinion they _should_ be.

NAT is not security just look what you can do with sFlow to identify
machines behind a NAT. NAT is useful for machines which need to
periodically make a connection to perform some function involving the
network.

This class of devices should not have a globally routable address
because in many cases security on them is less than an afterthought (short
fixed passwords no support for secure protocols, etc)

The other case as pointed out by another poster is overlapping networks
which need NAT until a renumbering can be accomplished.

                            Scott C. McGrath

Life would be much simpler without NAT howver there are non-computer
devices which use the internet to get updates for their firmware that most
of us would prefer not to be globally reachable due to the human error
factor i.e. "Oops forgot a rule to protect X".

<snip>

A good example of this is building control systems which get firmware
updates via FTP!!!! from their maker. Usually there is no manual system
for updating them offline and allowing them to be disconnected from the
internet as in my opinion they _should_ be.

NAT is certianly not the only way to restrict this sort of access. For
your ship example (snipped) an isolated network is best.

For your building control systems a firewall preventing inbound access,
instead of a NAT device, should be your control of choice.

This class of devices should not have a globally routable address
because in many cases security on them is less than an afterthought (short
fixed passwords no support for secure protocols, etc)

routable =! reachable. Restrict inbound access to your networks as
needed, with or without NAT, IPv4 or IPv6. For legacy IPv4 networks that
haven't been renumbered to IPv6, use a 4to6 gateway.

You seem to be arguing that NAT is the only way to prevent inbound access.
While it's true that most commercial IPv4 firewalls bundle NAT with packet
filtering, the NAT is not required..and less-so with IPv6.

...david

David Raistrick wrote:

You seem to be arguing that NAT is the only way to prevent inbound access.
While it's true that most commercial IPv4 firewalls bundle NAT with packet
filtering, the NAT is not required..and less-so with IPv6.

I think the point that was being made was that NAT allows the filtering of the box to be more idiot proof. Firewall rules tend to be complex, which is why mistakes *do* get made and systems still get compromised. NAT interfaces and setups tend to be more simplistic, and the IP addresses of the device won't route publicly through the firewall or any unknown alternate routes.

-Jack

Jack Bates wrote:

David Raistrick wrote:

>
> You seem to be arguing that NAT is the only way to prevent inbound access.
> While it's true that most commercial IPv4 firewalls bundle NAT with packet
> filtering, the NAT is not required..and less-so with IPv6.
>

I think the point that was being made was that NAT allows the filtering
of the box to be more idiot proof. Firewall rules tend to be complex,
which is why mistakes *do* get made and systems still get compromised.
NAT interfaces and setups tend to be more simplistic, and the IP
addresses of the device won't route publicly through the firewall or any
unknown alternate routes.

NAT for security is a bogus argument. NAT provides you nothing that a
simple stateful firewall provides[0]. The only reason a firewall is
"less idiot proof," is because NAT has such limited capabilities. People
may do more with a firewall simply because they can. If you want complex
rules, look at what happens to a NAT set up when you want to set up a
few static mappings. That's asking for trouble.

For a firewall to hobble the hosts behind it like NAT does takes only
a few simple rules. NAT also takes considerably more resources than a
stateful firewall.

[0] The only bonus in NAT is for the truly paranoid who want to hide
their network topology.

Date: Wed, 29 Oct 2003 15:27:27 -0600
From: Jack Bates

I think the point that was being made was that NAT allows the
filtering of the box to be more idiot proof. Firewall rules
tend to be complex, which is why mistakes *do* get made and
systems still get compromised. NAT interfaces and setups
tend to be more simplistic, and the IP addresses of the
device won't route publicly through the firewall or any
unknown alternate routes.

NAT "security" is a byproduct of NAT's stateful filtering. One
can accomplish the same effect with

  check-state
  allow ip any any recv internal0 keep-state
  deny ip any any

Such a default fw config would be equally idiot-proof with no IP
obfuscation.

Eddy

> Life would be much simpler without NAT howver there are non-computer
> devices which use the internet to get updates for their firmware that most
> of us would prefer not to be globally reachable due to the human error
> factor i.e. "Oops forgot a rule to protect X".
<snip>
> A good example of this is building control systems which get firmware
> updates via FTP!!!! from their maker. Usually there is no manual system
> for updating them offline and allowing them to be disconnected from the
> internet as in my opinion they _should_ be.

NAT is certianly not the only way to restrict this sort of access. For
your ship example (snipped) an isolated network is best.

For your building control systems a firewall preventing inbound access,
instead of a NAT device, should be your control of choice.

You are missing the point. Building control gear, instrument controllers
power controllers their builders see a _cheap_ distribution method for
updates so they buy a TCP stack and cobble together a embedded application
to update their software.

Vendors are not thinking about acceptable levels of network security
when they design this gear they are thinking hmm no floppy or cdrom for
$20 I can just put in a $4 ethernet controller and I can also save the
salaries of the people needed to distribute the physical media.

> This class of devices should not have a globally routable address
> because in many cases security on them is less than an afterthought (short
> fixed passwords no support for secure protocols, etc)

routable =! reachable. Restrict inbound access to your networks as
needed, with or without NAT, IPv4 or IPv6. For legacy IPv4 networks that
haven't been renumbered to IPv6, use a 4to6 gateway.

routable _is_ reachable a firewall is merely a filtering device it cannot
determine the intent of the packet. If a packet complies with your
defined ruleset and the protocol rules for that type of packet the
firewall passes it. NAT also has the advantage that if packets do leak
bogon filters at the border will drop them.

Firewalls cannot compensate for broken protocols or worse yet proprietary
protocols which the firewall device has no knowledge of and therefore is
limited to L3/4 filtering only. I have been playing with firewall and
other internetwork security devices for longer than I care to remember

You seem to be arguing that NAT is the only way to prevent inbound access.
While it's true that most commercial IPv4 firewalls bundle NAT with packet
filtering, the NAT is not required..and less-so with IPv6.

Actually no, I tend to avoid NAT whenever possible as other posters have
pointed out NAT tends to break things which are not ordinarily broken and
I do not need the additional headaches. I simply see NAT as a tool in
the toolbox to be used to fix networking problems..

That was _exactly_ the point I was attempting to make. If you recall
there was a case recently where a subcontractor at a power generation
facility linked their system to an isolated network which gave
unintentional global access to the isolated network. a NAT at the
subcontrator's interface would have prevented this.

                            Scott C. McGrath

So would have a stateful firewall set to keep state, default deny
inbound.
This is how customer grade firewall products should work with NAT
disabled, although they probably don't.
-Paul