North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IPv6 NAT

  • From: Owen DeLong
  • Date: Fri Oct 31 11:07:58 2003

--On Friday, October 31, 2003 7:35 AM -0600 Stephen Sprunk <[email protected]> wrote:

Thus spake "Tony Hain" <[email protected]>
Kuhtz, Christian wrote:
> All hairsplitting aside, given that the term NAT these days is mostly
> in a PAT (particularly in a customer connecting to the I) context, what
> isn't secure about?

mangling the header doesn't provide any security, and if you believe it
does, do the following exercise:
Mangling the header does not, but the stateful inspection and blocking
used by a dynamic NAT/NAPT certainly does.

The point is that the stateful inspection/blocking can be achieved without
A stateful filter that is automatically populated by traffic originated
the private side is what is providing 'security'. That function existed
in routers long before NAT was specified by the IETF (see RFC1044 for
True.  But consumers can't buy a RFC1044 device off the shelf today; what
they can buy are generic NAT/NAPT devices which provide a minimal
firewalling function _iff_ the user doesn't intentionally create holes.
While it'd be nice if these devices didn't _require_ NAT/NAPT for their
minimal operating mode, that's the configuration that is most likely to
work in the setting it's intended for.

I'm not sure about RFC1044, but, it's relatively easy to buy lots of
devices that will do stateful inspection without NAT off the shelf.
Any version of *NIX with iptables or ipchains, some Cisco routers,
Various Checkpoint software products, Cyberguard firewalls, Nokia,
Sonic, Netscreen, NetGuard, and others all support Stateful
inspection with or without NAT/PAT/NAPT.

There is NO security benefit to NAT/PAT/NAPT.  There is a security benefit
to stateful inspection.  NAT is harmful to many protocols.  Stateful
inspection is not.


If it wasn't signed, it probably didn't come from me.

Attachment: pgp00050.pgp
Description: PGP signature