[AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice bloke ; -)

Steve Baxter steve at thebaxters.com
Wed Jul 23 08:36:03 EST 2008


> > > Yes, but NAT is far better than everything in your house being
globally
> > > addressable - by anybody !
> 
> This is a furphy.

Not really, I like the concept that in a utopian world that the device
makers and software coders will be up to the task of providing a robust
platform that may just do that. To provide a platform that will not poo
itself when it gets a malformed packet, wedge up and return in a UDP
packet to the source about the entire internal ARP/bridge/routing/'you
name it' table so you can then directly target things inside the
network. It is about *being able to route to these things* not how easy
or hard it is to find them - they will get found by devious means or by
just dumb appliance makers using defaults.

Just as some say NAT != security then surely obscurity also does not
equate to security. Security is not standing upright in a really large
open field hoping they can't see you (because this is better than
standing upright in a small open field) - once they see you - you get
shot ! If you can't have the bullet routed to you because the
intervening networks do not/can not carry it then that is better.

When we have $200k boxes come out with vulnerabilities in networking
code what hope does the $40 desktop/home  thing have ?

"it's called progress and innovation. Mind if we have some" - sure, when
the coders and makers that create modern stacks, devices, chips etc are
up to the task then what you want makes sense. If educated users want to
have their home network globally addressable then go for it. Also, do
you think that we can have progress without opening 98% of the connected
devices to direct attack - I think we can.

SB

 
> Just because something is addressable does not mean it is reachable
> and exploitable.
> 
> Run the numbers.
> 
> Doing a port scan over all IP addresses in IPv4 is easy today because
> we have 32 bits of address space, small subnet sizes and it takes
> minutes.
> 
> Try doing a port scan over available addresses in a 128 bit address
> space. Takes eons. You've just muliplied security by obscurity by
> 2^56, given the default subnet size differences (2^8 vs 2^64).
> 
> So maybe we'll have valid IP addresses passed around like valid credit
> card numbers today. [Maybe they'll be the same thing someday.]
> 
> Sure, they can find the routers faster. So they'll target routers and
> servers instead. So we get back to securing the things we should be
> securing properly...
> 
> 
> > I'm not clear the security arises strictly from one's LAN not being
"globally
> > addressable". We've got a border device with default-deny as its
inbound
> > policy and automagic creation of short-term "pass this flow" rules
triggered
> > by outbound traffic. Seems to me I could build a home LAN using
global
> > addresses, connect to the world via a 1:1 NAT (no remapping of addr
or
> > ports) and get the same 'security'.
> 
> Yup.
> 
> I can conceive of <insert patent request here> a device that pops up
> with a message: "Oh, you seem to have added a device to your home LAN
> today, what security settings would you like? <menu of options
> presented>"
> 
> It would come up on the home security notice board. That would have
> been modified when new device x tried to reach external party y, or
> simply affiliate with the router... And you would have seen it on the
> way in or out or at log in, or whatever your notification settings
> were...
> 
> 
> > (Not that I disagree with the observation that proliferation of NAT
> > in cheap CPE has probably 'saved' lots of consumers from
network-launched
> > infection. But it _seems_ orthogonal to the global addressability of
the
> > home machines.)
> 
> Yup, yup.
> 
> Yeah, I know, I'm dreaming...
> 
> it's called progress and innovation. Mind if we have some???
> 
> 
> --
> 
> 
> Narelle
> narellec at gmail.com
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> --
> This message was scanned by ESVA and is believed to be clean.
> Click here to report this message as spam.
> http://mail.thebaxters.com/cgi-bin/learn-msg.cgi?id=F0FD029B60.70E50
> 




More information about the AusNOG mailing list