<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On 01/08/2008, at 10:59 AM, Chris Chaundy wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div lang="EN-US" link="blue" vlink="blue" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div class="Section1"><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; ">It’s a while since I’ve had to deal with this, but as I understand it, there are protocols that embed addressing and port information in payloads which need to be fiddled if there is/are NAT(s) in the path. If the extended address space offered by IPv6 allows us to escape from the NAT ‘functionality’ (and we just have firewall security), then there is no need for any fiddling.</span></font></div></div></div></span></blockquote><div><br></div>But stateful firewalls still need to understand the protocol. Not understanding it properly still leads to a lack of connectivity (or too much) will still means it doesn't work and leads to problems and frustrations by the customers.</div><div><br></div><div>I'm just pointing out here that NAT isn't the problem. It's badly written software and poorly defined/implemented protocols no matter what shape/flavour they are. Getting rid of NAT and using stateful firewalls just paints the fence a different colour.</div><div><br></div><div><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div lang="EN-US" link="blue" vlink="blue" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div class="Section1"><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; "> </span></font></p><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; ">Of course, as Macca pointed out, proxying will probably be the way things will go for most applications in the future anyway.</span></font></div></div></div></span></blockquote><div><br></div>So application level proxying is okay but NAT isn't? (*MMC looks around to check it's a joke he's not in on*)</div><div><br></div><div>MMC</div><div><br></div><div><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div lang="EN-US" link="blue" vlink="blue" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div class="Section1"><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; "> </span></font></p><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" face="Tahoma"><span style="font-size: 10pt; font-family: Tahoma; ">-----Original Message-----<br><b><span style="font-weight: bold; ">From:</span></b><span class="Apple-converted-space"> </span>Matthew Moyle-Croft [<a href="mailto:mmc@internode.com.au" style="color: blue; text-decoration: underline; ">mailto:mmc@internode.com.au</a>]<span class="Apple-converted-space"> </span><br><b><span style="font-weight: bold; ">Sent:</span></b><span class="Apple-converted-space"> </span>Friday, 1 August 2008 11:07 AM<br><b><span style="font-weight: bold; ">To:</span></b><span class="Apple-converted-space"> </span>Chris Chaundy<br><b><span style="font-weight: bold; ">Cc:</span></b><span class="Apple-converted-space"> </span><a href="mailto:ausnog@ausnog.net" style="color: blue; text-decoration: underline; ">ausnog@ausnog.net</a><br><b><span style="font-weight: bold; ">Subject:</span></b><span class="Apple-converted-space"> </span>Re: [AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice bloke ; -)</span></font></div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; "> </span></font></p><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">Stateful firewalls (the solution touted as required for CPE) still appear to require an understanding of the protocols going through them - to understand the "state" of a protocol and what connections can/should be opened up.</span></font></div></div><div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; "> </span></font></p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">Remind me then how the protocol tweaking will decline? </span></font></div></div><div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; "> </span></font></p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">MMC</span></font></div></div><div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; "> </span></font></p></div><div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; "> </span></font></p><div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">On 01/08/2008, at 10:08 AM, Chris Chaundy wrote:</span></font></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; "><br><br></span></font></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">A further comment on this topic - I agree entire on the comments<br>regarding accessibility versus addressability. One of the problems with<br>NAT is all the tweaking needed for some protocols that 'break the rules'<br>as far as layering of protocols go by embedding information about lower<br>layers in higher layers which leads to complexity which inevitably leads<br>to bugs.<br><br>While IPv6 is may problematic for some of these protocols, it is a<br>problem that will have to be solved, and once solved, NAT (and the<br>tweaking) will no longer be necessary when we have sufficient address<br>space (well in the perfect world anyway :-). Long live the KISS<br>principle...<br><br>-----Original Message-----<br>From:<span class="Apple-converted-space"> </span><a href="mailto:ausnog-bounces@ausnog.net" style="color: blue; text-decoration: underline; ">ausnog-bounces@ausnog.net</a><span class="Apple-converted-space"> </span>[<a href="mailto:ausnog-bounces@ausnog.net" style="color: blue; text-decoration: underline; ">mailto:ausnog-bounces@ausnog.net</a>] On<br>Behalf Of Mark Newton<br>Sent: Friday, 1 August 2008 8:51 AM<br>To: Robert Brockway<br>Cc:<span class="Apple-converted-space"> </span><a href="mailto:ausnog@ausnog.net" style="color: blue; text-decoration: underline; ">ausnog@ausnog.net</a><br>Subject: Re: [AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice<br>bloke ;-)<br><br><br>On 01/08/2008, at 1:11 AM, Robert Brockway wrote:<br><br></span></font></div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; "> </span></font></p><blockquote type="cite" style="margin-top: 5pt; margin-bottom: 5pt; "><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">Please excuse me if I'm wrong but it seems like you are equating</span></font></div></blockquote><blockquote type="cite" style="margin-top: 5pt; margin-bottom: 5pt; "><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">'publically accessible' to 'publically addressable'. They need not </span></font></div></blockquote><blockquote type="cite" style="margin-top: 5pt; margin-bottom: 5pt; "><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">be the</span></font></div></blockquote><blockquote type="cite" style="margin-top: 5pt; margin-bottom: 5pt; "><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">same thing as per earlier parts of the thread.</span></font></div></blockquote><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; "><br>There's a certain amount of cross-purposes discussion going on here.<br><br>I don't think anyone is equating the two issues in the way you've<br>described. It might be useful for you to assume that those in this<br>thread who have taken a contrary view have a full and complete<br>understanding of the problem and simply disagree with you.<br><br>Let me expand on it just slightly, by way of illustration.<br><br>Lets say you have some firewall code in your CPE. That's something<br>that controls "accessibility."<br><br>And lets also say you have some NAT code in your CPE. That's something<br>that controls "addressability."<br><br>Flows passing through the CPE are NAT'ed (re-addressed), and also<br>passed through the firewall. That seems to be the typical way that<br>most CPE works; Whether you're talking about a Cisco or a Billion,<br>the stateful inspection configuration stanzas and internal code paths<br>are different beasts.<br><br>Now -- Lets assume you're using cheap and nasty CPE that has<br>firmware that's of, shall we say, variable quality.<br><br>If the firewall is buggy, it'll incorrectly block some traffic and<br>incorrectly pass other traffic. The one Bevan is worried about is<br>incorrectly passing traffic to his fridge -- i.e., making an<br>incorrect decision about whether his fridge should be accessible.<br><br>Separately:<br><br>If the NAT code is buggy, it'll incorrectly translate inside<br>addresses to outside addresses. The degenerate, almost inevitable<br>case is that devices on the "inside" won't have an network access<br>due to NAT bugs.<br><br>Now consider each facility being present or not present individually,<br>and consider the failure modes.<br><br>In the presence of bugs on a device that has NAT and no firewall,<br>devices inside your network won't have network access.<br><br>In the presence of bugs on a device that has a firewall and no<br>NAT, incorrect decisions regarding accessibility will be made and<br>Bevan's fridge will conceivably be reachable from the outside.<br><br>In the presence of bugs on a device that has a firewall and NAT,<br>incorrect decisions regarding accessibility won't matter very<br>much because nothing on the inside is addressable, or, consequently,<br>reachable; and NAT failures will -still- cause devices inside<br>your network to not have network access.<br><br>So -- although NAT != security, what NAT *does* do is make your<br>firewall fail-safe. The preference in the event of a bug when<br>NAT is present is to deny access. The preference in the event of<br>a bug without NAT is to either incorrectly permit or incorrectly<br>deny, depending on the bug. NAT is, therefore, a net gain, and<br>a marginal improvement on the quality of the security provided<br>by the solution.<br><br>Now, I'm not emotionally attached to NAT, and I don't think its<br>inevitable culling in an IPv6 world represents a huge problem. But<br>I think you're making a mistake by suggesting that taking away<br>NAT makes no difference because protecting the network is the firewall's<br>job. We don't live in an ideal world, and some CPE firmware is so<br>badly tested that it won't even boot, so I don't think you can trust<br>the firewall. So what does that leave you with?<br><br><br></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">I would not allow my</span></font></div><blockquote type="cite" style="margin-top: 5pt; margin-bottom: 5pt; "><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">appliances to be publically accessible but I'm fine with them being</span></font></div></blockquote><blockquote type="cite" style="margin-top: 5pt; margin-bottom: 5pt; "><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; ">publically addressable.</span></font></div></blockquote><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; "><br>What about when your firewall is buggy? Is it ok then?<br><br><br> - mark<br><br>--<br>Mark Newton Email:<br><a href="mailto:newton@internode.com.au" style="color: blue; text-decoration: underline; ">newton@internode.com.au</a><span class="Apple-converted-space"> </span><br> (W)<br>Network Engineer Email: <br><a href="mailto:newton@atdot.dotat.org" style="color: blue; text-decoration: underline; ">newton@atdot.dotat.org</a><span class="Apple-converted-space"> </span> (H)<br>Internode Systems Pty Ltd Desk: +61-8-82282999<br>"Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223<br><br><br><br><br><br>_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@ausnog.net" style="color: blue; text-decoration: underline; ">AusNOG@ausnog.net</a><br><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" style="color: blue; text-decoration: underline; ">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@ausnog.net" style="color: blue; text-decoration: underline; ">AusNOG@ausnog.net</a><br><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" style="color: blue; text-decoration: underline; ">http://lists.ausnog.net/mailman/listinfo/ausnog</a></span></font></div></div></div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; "> </span></font></p><span style="orphans: 2; widows: 2; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-spacing: 0px; "><div apple-content-edited="true"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="1" color="black" face="Helvetica"><span style="font-size: 7pt; font-family: Helvetica; color: black; ">-- <br>Matthew Moyle-Croft Internode/Agile Peering and Core Networks<br>Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia<br>Email:<span class="Apple-converted-space"> </span><a href="mailto:mmc@internode.com.au" style="color: blue; text-decoration: underline; ">mmc@internode.com.au</a><span class="Apple-converted-space"> </span> Web: <a href="http://www.on.net/" style="color: blue; text-decoration: underline; ">http://www.on.net</a><br>Direct: +61-8-8228-2909<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span> Mobile: +61-419-900-366<br>Reception: +61-8-8228-2999 Fax: +61-8-8235-6909</span></font></div></div></div></div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="3" face="Times New Roman"><span style="font-size: 12pt; "></span> </font></p></span></div></div></div></span></blockquote></div><br><div apple-content-edited="true"> <span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>-- <br>Matthew Moyle-Croft Internode/Agile Peering and Core Networks<br>Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia<br>Email: <a href="mailto:mmc@internode.com.au">mmc@internode.com.au</a> Web: <a href="http://www.on.net/">http://www.on.net</a><br>Direct: +61-8-8228-2909<span class="Apple-tab-span" style="white-space: pre; "> </span><span class="Apple-tab-span" style="white-space: pre; "> </span> Mobile: +61-419-900-366<br>Reception: +61-8-8228-2999 Fax: +61-8-8235-6909<br></div></div></span> </div><br></body></html>