[AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice bloke ; -)

Narelle narellec at gmail.com
Tue Jul 22 18:21:19 EST 2008


On 7/20/08, grenville armitage <garmitage at swin.edu.au> wrote:
> Steve Baxter wrote:
> >> NAT != security.
> >
> > Yes, but NAT is far better than everything in your house being globally
> > addressable - by anybody !

This is a furphy.

Just because something is addressable does not mean it is reachable
and exploitable.

Run the numbers.

Doing a port scan over all IP addresses in IPv4 is easy today because
we have 32 bits of address space, small subnet sizes and it takes
minutes.

Try doing a port scan over available addresses in a 128 bit address
space. Takes eons. You've just muliplied security by obscurity by
2^56, given the default subnet size differences (2^8 vs 2^64).

So maybe we'll have valid IP addresses passed around like valid credit
card numbers today. [Maybe they'll be the same thing someday.]

Sure, they can find the routers faster. So they'll target routers and
servers instead. So we get back to securing the things we should be
securing properly...


> I'm not clear the security arises strictly from one's LAN not being "globally
> addressable". We've got a border device with default-deny as its inbound
> policy and automagic creation of short-term "pass this flow" rules triggered
> by outbound traffic. Seems to me I could build a home LAN using global
> addresses, connect to the world via a 1:1 NAT (no remapping of addr or
> ports) and get the same 'security'.

Yup.

I can conceive of <insert patent request here> a device that pops up
with a message: "Oh, you seem to have added a device to your home LAN
today, what security settings would you like? <menu of options
presented>"

It would come up on the home security notice board. That would have
been modified when new device x tried to reach external party y, or
simply affiliate with the router... And you would have seen it on the
way in or out or at log in, or whatever your notification settings
were...


> (Not that I disagree with the observation that proliferation of NAT
> in cheap CPE has probably 'saved' lots of consumers from network-launched
> infection. But it _seems_ orthogonal to the global addressability of the
> home machines.)

Yup, yup.

Yeah, I know, I'm dreaming...

it's called progress and innovation. Mind if we have some???


-- 


Narelle
narellec at gmail.com



More information about the AusNOG mailing list