[AusNOG] IPv6 excuses

Peter Fern ausnog at 0xc0dedbad.com
Sun May 29 13:43:20 EST 2016 

On 05/29/16 11:52, Mark Newton wrote:
> On 28 May 2016, at 1:13 PM, Peter Fern <ausnog at 0xc0dedbad.com> wrote:
>>> Being behind a NAT doesn't protect devices. All it takes is a single
>>> compromised machine.  The same applies to firewalls.  Each and every
>>> device needs to protect itself.
>> Being behind NAT (or a CPE firewall) does protect insecure devices from
>> providing additional pivots into the network though.  And, you know,
>> stops the Internet from playing with people's 'smart' lights, watching
>> their IP cams, etc.
> You are simply wrong.
> http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/
>
> Being behind a NAT might protect you against classes of attacks that were
> considered big deals back in Internet ancient history, but they don’t make
> any realistic difference to anything on today’s internet.

How does that logic work?  You're saying that because there are other
vectors, we should just ignore the possibility that putting insecure
hosts directly on the Internet exposes them to that same class of
attacks from ancient history?

> You seem to have this belief that you can erect a countermeasure such as a
> NAT, and the people doing the attacking will throw their hands up and say,
> “Well, dammit, he’s installed a NAT now. We’re screwed. Oh well, let’s go
> and play golf.”

No.  I'm just suggesting that opening users up to additional threat
types - when there is a simple method to avoid doing so - seems like a
foolish idea.

> No. What actually happens is that you put up a NAT in 2001, and by 2003 the
> threat landscape moved on to other attack vectors, so whether you’re using a
> NAT or not has been rendered irrelevant.
>
> But meanwhile, you’re still sitting back here talking about NAT improving 
> security as if it’s still 2001.

They moved on to other attack vectors because they had to, so obviously
NAT did have an impact on the threat landscape.

>> You might argue that end users should deal with this themselves, but
>> many end users are either incapable or uninformed, and if it's trivial
>> to provide protection at the CPE with minimal impact, how is this a bad
>> idea?
> Is this seriously an excuse for not deploying IPv6? That IPv6 should not be
> deployed because people on the IPv4 internet suffer application-based attacks?
>
> O_o

No, and I don't know how you read this into what I said.  I'm just
suggesting that deployment should be done with care, and consideration
for the impact on users.

More information about the AusNOG mailing list