Re: [v6ops] NAT debate (Re: A common problem with SLAAC in "renumbering" scenarios)

[Kristian McColm <kristianmccolm@hotmail.com>]

Then by that same token, can the end user devices, network services and network devices not provide their own packet filtering and other security mechanisms rather than forcing all network traffic to traverse centralized security devices?

It won't be a popular opinion with network security folks and security appliance vendors, but I am a believer that the endpoint device is the right place to implement network security. Intermediary network devices should not, in my opinion be doing anything other than forwarding packets to their destination.
________________________________
From: Tom Herbert <tom@herbertland.com>
Sent: Thursday, February 21, 2019 9:53:50 PM
To: Kristian McColm
Cc: Fernando Gont; IPv6 Operations; 6man@ietf.org; JORDI PALET MARTINEZ
Subject: Re: [v6ops] NAT debate (Re: A common problem with SLAAC in "renumbering" scenarios)

On Thu, Feb 21, 2019 at 6:25 PM Kristian McColm
<kristianmccolm@hotmail.com> wrote:
>
> Amen to that. Make the end user devices responsible for their own security.
>
Kristian,

Devices and applications are already responsible for their own
security. No serious application or OS would ever rely on the presence
of an external firewall for its security.

However, there is still some benefit of stateful firewalls to protect
network resources from attack. So we want the functionality of a
stateful firewall in stateless solution without any of the annoying
limitations of stateful devices (like they only work with certain
protocols, force flows to traverse specific intermediate nodes, are
single points of failure, etc). FAST ( draft-herbert-fast-00) is one
proposal for this.

Tom

_______________________________
> From: v6ops <v6ops-bounces@ietf.org> on behalf of Tom Herbert <tom@herbertland.com>
> Sent: Thursday, February 21, 2019 9:23:38 PM
> To: Fernando Gont
> Cc: IPv6 Operations; 6man@ietf.org; JORDI PALET MARTINEZ
> Subject: Re: [v6ops] NAT debate (Re: A common problem with SLAAC in "renumbering" scenarios)
>
> On Thu, Feb 21, 2019 at 6:13 PM Fernando Gont <fgont@si6networks.com> wrote:
> >
> > On 21/2/19 22:58, JORDI PALET MARTINEZ wrote:
> > >
> > >     I agreee with that with one exception. I believe that NAT/IPv4 can
> > >     offer better privacy in addressing than IPv6 given current addess
> > >     allocation methods.
> > >
> > > I'm for as much privacy as possible, however, not at the cost of things such as:
> > > - Unnecessary complexity increase
> > > - Moving from peer-to-peer to client-server for everything
> > > - Single point of failure
> > > - Increasing the attacks chances by reducing the surface to the servers
> > > - Increase the complexity of app development
> > > - Complexity to host services in "clients"
> > > - Complexity to use "freely" and "efficient" DNS
> > > - etc
> >
> > There are two protocols associated with NATs:
> > 1) Apps that incorporate IP addresses and ports in the app protocol
> > require an ALG
> > 2) Because of of the "only allow outgoing connections" side-effect of
> > NATs, you need UPnP to open holes in the NAT, or some NAT traversal
> > technique.
> >
> >
> > "1)" goes away when you remove the NAT.
> >
> > "2)" does not if you replace the NAT with a stateful firewall that only
> > allows outgoing connections. -- the majority of the IPv6 deployments
> > I've seen use this policy/model. And, of course, this is also a single
> > point of failure, will also increase application complexity, etc., etc.,
> > etc.
>
> So we need to eliminate stateful firewalls as well as NAT...
>
> Tom
>
> >
> >
> >
> > --
> > Fernando Gont
> > SI6 Networks
> > e-mail: fgont@si6networks.com
> > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> >
> >
> >
> >
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops