[AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice bloke ; -)

Nathan Gardiner ngardiner at gmail.com
Sun Jul 20 12:08:07 EST 2008


I'm not sure I understand why this issue couldn't be addressed by CPE
manufacturers providing an almost functionally equivalent security
default for IPv6 equipment. In other discussions, the point has been
raised that the traditional address space randomisation attacks that
existing worms and other malware currently use would be much less
effective against the vast IPv6 address space.

Yes, it's obscurity at it's best, but a useful deterrant and possibly
the diminising of a common attack vector.

If CPE devices performed stateful packet inspection (which is no great
feat, many do and NAT equipment already maintains a similar connection
table) allowing by default only replies to established connections,
with a function similar to the UPNP protocol to allow software to
maintain dynamic ACLs where required, and the ability for manual
inbound rules to be configured (much like the current static port
forwarding functionality) you would have near equivalence.

The fact that the address space allocation is derived from a public
pool should not invalidate existing security models, it just removes
the requirement for IP header rewriting.


PS. No zealot here. I've just seen too many organisations with complex
internal NAT configurations trying to manage change.

Nathan

 On Sat, Jul 19, 2008 at 10:19 PM, Steve Baxter <steve at thebaxters.com> wrote:
>
> > NAT != security.
>
> Yes, but NAT is far better than everything in your house being globally
> addressable - by anybody !
>
> Do you look forward to the day your IP enabled stereo wakes you at 3am
> in the morning with spam that it is playing at 140W RMS because NAT !=
> security ? Consumer devices are cheap therefore will rarely if ever see
> either decent firmware in the first place or regular updates as old
> software is exploited. Why have it as easy as walking address space
> (larger universe in 6 admittedly) to find things that can be targeted.
>
> Can you imagine a world now (the IPv4 world) where every rancid pile of
> plastic and silicon from a cheap manufacturer in the home was globally
> addressable ? In warfare do you want to be bullet proof (like a tank -
> not very bullet proof and they are at the highest state of art) or
> hidden ? If they can't see you they can't shoot you !
>
> Now watch the zealots :-)
>
> SB
>
> > > I really don't understand the anti-NAT zealots. It's like they want
> > to take all of the things we've learned about giving public IPs to
> > workstations (DCOM/RPC/NetBios exploits) and repeat them, all over
> > again. No NAT = bad mmkay?
> > > ________________________________________
> > > From: ausnog-bounces at ausnog.net [ausnog-bounces at ausnog.net] On
> Behalf
> > Of Matthew Moyle-Croft [mmc at internode.com.au]
> > > Sent: Friday, 18 July 2008 12:45 PM
> > > To: Noel Butler
> > > Cc: ausnog at ausnog.net
> > > Subject: Re: [AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice
> > bloke ; -)
> > >
> > > My point was more that I've got an IPv4 /24 and use 10 addresses.
> > I've got an IPv6 /56 and use 6 addresses (my media players etc don't
> do
> > v6 yet).    The density of allocation has decreased by <insert
> > depressingly large number> (even if I just had a /64 for home) just to
> > appease the anti-NAT zealots worshipping at the altar of the RFC2462
> > god.   I hope their puny stateful firewalls let the evil spirits into
> > their networks and corrupt their virgin servers.
> > >
> > > MMC
> > >
> > > PS.  History never repeats, I tell myself before I goto sleep.
> > >
> > >
> > > Noel Butler wrote:
> > > this adds further proof about abuse and waste of existing IP
> > resources, at least MMC is man enough to admit he's one of the guilty.
> > >
> > >
> > > On Fri, 2008-07-18 at 10:32, Matthew Moyle-Croft wrote:
> > >
> > > Free != Allocatable.
> > >
> > > ie.  I have an (ancient) class C of my own at home.   I use about 10
> > > addresses all up.   So there are, let's call it 244 free.
> > > But no one can get an allocation out of that or, for example,
> Apple's
> > /8.
> > >
> > > MMC
> > >
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > _______________________________________________
> > > AusNOG mailing list
> > > AusNOG at ausnog.net<mailto:AusNOG at ausnog.net>
> > > http://lists.ausnog.net/mailman/listinfo/ausnog
> > >
> > >
> > >
> > > --
> > > Matthew Moyle-Croft Internode/Agile Peering and Core Networks
> > > Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
> > > Email: mmc at internode.com.au<mailto:mmc at internode.com.au>  Web:
> > http://www.on.net
> > > Direct: +61-8-8228-2909             Mobile: +61-419-900-366
> > > Reception: +61-8-8228-2999          Fax: +61-8-8235-6909
> > >
> > > _______________________________________________
> > > AusNOG mailing list
> > > AusNOG at ausnog.net
> > > http://lists.ausnog.net/mailman/listinfo/ausnog
> > >
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> > --
> > This message was scanned by ESVA and is believed to be clean.
> > Click here to report this message as spam.
> > http://mail.thebaxters.com/cgi-bin/learn-msg.cgi?id=92BF929B61.DF674
> >
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>



More information about the AusNOG mailing list