[AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice bloke ; -)

Chris Chaundy CChaundy at soulaustralia.com.au
Fri Aug 1 10:38:03 EST 2008


A further comment on this topic - I agree entire on the comments
regarding accessibility versus addressability.  One of the problems with
NAT is all the tweaking needed for some protocols that 'break the rules'
as far as layering of protocols go by embedding information about lower
layers in higher layers which leads to complexity which inevitably leads
to bugs.

While IPv6 is may problematic for some of these protocols, it is a
problem that will have to be solved, and once solved, NAT (and the
tweaking) will no longer be necessary when we have sufficient address
space (well in the perfect world anyway :-).  Long live the KISS
principle...

-----Original Message-----
From: ausnog-bounces at ausnog.net [mailto:ausnog-bounces at ausnog.net] On
Behalf Of Mark Newton
Sent: Friday, 1 August 2008 8:51 AM
To: Robert Brockway
Cc: ausnog at ausnog.net
Subject: Re: [AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice
bloke ;-)


On 01/08/2008, at 1:11 AM, Robert Brockway wrote:
>
> Please excuse me if I'm wrong but it seems like you are equating
> 'publically accessible' to 'publically addressable'.  They need not  
> be the
> same thing as per earlier parts of the thread.

There's a certain amount of cross-purposes discussion going on here.

I don't think anyone is equating the two issues in the way you've
described.  It might be useful for you to assume that those in this
thread who have taken a contrary view have a full and complete
understanding of the problem and simply disagree with you.

Let me expand on it just slightly, by way of illustration.

Lets say you have some firewall code in your CPE.  That's something
that controls "accessibility."

And lets also say you have some NAT code in your CPE.  That's something
that controls "addressability."

Flows passing through the CPE are NAT'ed (re-addressed), and also
passed through the firewall.  That seems to be the typical way that
most CPE works;  Whether you're talking about a Cisco or a Billion,
the stateful inspection configuration stanzas and internal code paths
are different beasts.

Now -- Lets assume you're using cheap and nasty CPE that has
firmware that's of, shall we say, variable quality.

If the firewall is buggy, it'll incorrectly block some traffic and
incorrectly pass other traffic.  The one Bevan is worried about is
incorrectly passing traffic to his fridge -- i.e., making an
incorrect decision about whether his fridge should be accessible.

Separately:

If the NAT code is buggy, it'll incorrectly translate inside
addresses to outside addresses.  The degenerate, almost inevitable
case is that devices on the "inside" won't have an network access
due to NAT bugs.

Now consider each facility being present or not present individually,
and consider the failure modes.

In the presence of bugs on a device that has NAT and no firewall,
devices inside your network won't have network access.

In the presence of bugs on a device that has a firewall and no
NAT, incorrect decisions regarding accessibility will be made and
Bevan's fridge will conceivably be reachable from the outside.

In the presence of bugs on a device that has a firewall and NAT,
incorrect decisions regarding accessibility won't matter very
much because nothing on the inside is addressable, or, consequently,
reachable;  and NAT failures will -still- cause devices inside
your network to not have network access.

So -- although NAT != security, what NAT *does* do is make your
firewall fail-safe.  The preference in the event of a bug when
NAT is present is to deny access.  The preference in the event of
a bug without NAT is to either incorrectly permit or incorrectly
deny, depending on the bug.  NAT is, therefore, a net gain, and
a marginal improvement on the quality of the security provided
by the solution.

Now, I'm not emotionally attached to NAT, and I don't think its
inevitable culling in an IPv6 world represents a huge problem.  But
I think you're making a mistake by suggesting that taking away
NAT makes no difference because protecting the network is the firewall's
job.  We don't live in an ideal world, and some CPE firmware is so
badly tested that it won't even boot, so I don't think you can trust
the firewall.  So what does that leave you with?

>  I would not allow my
> appliances to be publically accessible but I'm fine with them being
> publically addressable.

What about when your firewall is buggy?  Is it ok then?


   - mark

--
Mark Newton                               Email:
newton at internode.com.au 
  (W)
Network Engineer                          Email:   
newton at atdot.dotat.org  (H)
Internode Systems Pty Ltd                 Desk:   +61-8-82282999
"Network Man" - Anagram of "Mark Newton"  Mobile: +61-416-202-223





_______________________________________________
AusNOG mailing list
AusNOG at ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list