[AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice bloke ; -)

Kris Price ausnog at punk.co.nz
Sun Jul 20 16:19:05 EST 2008 

I think this is what people are after when they talk about NAT. It's the 
stateful-ish firewalling function that these devices perform, whether it 
be through their firewalling capabilities that many of them have, or the 
impression of stateful firewalling that NAT brings. It has nothing to do 
with whether your stereo or nintendo DS is publicly addressed.

I'd like to see accessible devices all throughout the home, so that they 
_can_ be managed. Not necessarily by the end-user, but by the appliance 
manufacturer, or a third party, or hell, a fancy Web-2.0 site that talks 
to all your devices for you through one easy central portal. <-- (If 
anyone makes a wad on that one, I want in.)

Even worse, is if you don't, and assume because they're behind a NAT box 
they'll stay safe. Yeah, until the user runs a flash applet that 
exploits his box, or your recipes display on your fridge goes does the 
same thing, and proceeds to take over the entire home network, or one of 
the thousand other ways it could happen.




Nathan Gardiner wrote:
> I'm not sure I understand why this issue couldn't be addressed by CPE
> manufacturers providing an almost functionally equivalent security
> default for IPv6 equipment. In other discussions, the point has been
> raised that the traditional address space randomisation attacks that
> existing worms and other malware currently use would be much less
> effective against the vast IPv6 address space.
> 
> Yes, it's obscurity at it's best, but a useful deterrant and possibly
> the diminising of a common attack vector.
> 
> If CPE devices performed stateful packet inspection (which is no great
> feat, many do and NAT equipment already maintains a similar connection
> table) allowing by default only replies to established connections,
> with a function similar to the UPNP protocol to allow software to
> maintain dynamic ACLs where required, and the ability for manual
> inbound rules to be configured (much like the current static port
> forwarding functionality) you would have near equivalence.
> 
> The fact that the address space allocation is derived from a public
> pool should not invalidate existing security models, it just removes
> the requirement for IP header rewriting.
> 
> 
> PS. No zealot here. I've just seen too many organisations with complex
> internal NAT configurations trying to manage change.
> 
> Nathan
> 
>  On Sat, Jul 19, 2008 at 10:19 PM, Steve Baxter <steve at thebaxters.com> wrote:
>>> NAT != security.
>> Yes, but NAT is far better than everything in your house being globally
>> addressable - by anybody !
>>
>> Do you look forward to the day your IP enabled stereo wakes you at 3am
>> in the morning with spam that it is playing at 140W RMS because NAT !=
>> security ? Consumer devices are cheap therefore will rarely if ever see
>> either decent firmware in the first place or regular updates as old
>> software is exploited. Why have it as easy as walking address space
>> (larger universe in 6 admittedly) to find things that can be targeted.
>>
>> Can you imagine a world now (the IPv4 world) where every rancid pile of
>> plastic and silicon from a cheap manufacturer in the home was globally
>> addressable ? In warfare do you want to be bullet proof (like a tank -
>> not very bullet proof and they are at the highest state of art) or
>> hidden ? If they can't see you they can't shoot you !
>>
>> Now watch the zealots :-)
>>
>> SB
>>
>>>> I really don't understand the anti-NAT zealots. It's like they want
>>> to take all of the things we've learned about giving public IPs to
>>> workstations (DCOM/RPC/NetBios exploits) and repeat them, all over
>>> again. No NAT = bad mmkay?
>>>> ________________________________________
>>>> From: ausnog-bounces at ausnog.net [ausnog-bounces at ausnog.net] On
>> Behalf
>>> Of Matthew Moyle-Croft [mmc at internode.com.au]
>>>> Sent: Friday, 18 July 2008 12:45 PM
>>>> To: Noel Butler
>>>> Cc: ausnog at ausnog.net
>>>> Subject: Re: [AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice
>>> bloke ; -)
>>>> My point was more that I've got an IPv4 /24 and use 10 addresses.
>>> I've got an IPv6 /56 and use 6 addresses (my media players etc don't
>> do
>>> v6 yet).    The density of allocation has decreased by <insert
>>> depressingly large number> (even if I just had a /64 for home) just to
>>> appease the anti-NAT zealots worshipping at the altar of the RFC2462
>>> god.   I hope their puny stateful firewalls let the evil spirits into
>>> their networks and corrupt their virgin servers.
>>>> MMC
>>>>
>>>> PS.  History never repeats, I tell myself before I goto sleep.
>>>>
>>>>
>>>> Noel Butler wrote:
>>>> this adds further proof about abuse and waste of existing IP
>>> resources, at least MMC is man enough to admit he's one of the guilty.
>>>>
>>>> On Fri, 2008-07-18 at 10:32, Matthew Moyle-Croft wrote:
>>>>
>>>> Free != Allocatable.
>>>>
>>>> ie.  I have an (ancient) class C of my own at home.   I use about 10
>>>> addresses all up.   So there are, let's call it 244 free.
>>>> But no one can get an allocation out of that or, for example,
>> Apple's
>>> /8.
>>>> MMC
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ________________________________
>>>>
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at ausnog.net<mailto:AusNOG at ausnog.net>
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>>
>>>>
>>>> --
>>>> Matthew Moyle-Croft Internode/Agile Peering and Core Networks
>>>> Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
>>>> Email: mmc at internode.com.au<mailto:mmc at internode.com.au>  Web:
>>> http://www.on.net
>>>> Direct: +61-8-8228-2909             Mobile: +61-419-900-366
>>>> Reception: +61-8-8228-2999          Fax: +61-8-8235-6909
>>>>
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>> --
>>> This message was scanned by ESVA and is believed to be clean.
>>> Click here to report this message as spam.
>>> http://mail.thebaxters.com/cgi-bin/learn-msg.cgi?id=92BF929B61.DF674
>>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>

More information about the AusNOG mailing list