Re: [v6ops] NAT debate (Re: A common problem with SLAAC in "renumbering" scenarios)

Ca By <cb.list6@gmail.com> Fri, 22 February 2019 04:08 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15135130E7E; Thu, 21 Feb 2019 20:08:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y5_1Av4LrEfL; Thu, 21 Feb 2019 20:08:14 -0800 (PST)
Received: from mail-yw1-xc35.google.com (mail-yw1-xc35.google.com [IPv6:2607:f8b0:4864:20::c35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 554FB130E25; Thu, 21 Feb 2019 20:08:14 -0800 (PST)
Received: by mail-yw1-xc35.google.com with SMTP id x21so338428ywx.11; Thu, 21 Feb 2019 20:08:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kyVg+Y1TxL4QAzMAxd8oNrWylp5rqJRQiirxBU7mxcM=; b=Rqsyq2WwSvdU73L87UNUFkAuQoIKeZuyp3UaYBKFTWf0SdprLP9FLxZIzOTTnwy1B/ XgDsQ+MCiHVu8RxT/EutxeFJUS3mjr6bjYa0BEiF+baNWeFQI8ceUtwfr9WD5MdYV7OT r9ZxZX+wU1ywasewE/zAlQdsn99l18P6NkSBd36wmnAPM/AXXOE57dWCtKzSj8G4Zw2X I0tsjoyOC8o405NjA9FO83gztBhNMqcXIJWzpUY9y2nEjdA8uky6LgWfYrXO5yHnlvCK u4eZepd+FQlqFccJryOe4lp/tpeceayHtYcBcwzSbmn0ZCCxYeH3bk6SjKMWLZxALn/X WN/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kyVg+Y1TxL4QAzMAxd8oNrWylp5rqJRQiirxBU7mxcM=; b=WFwWzw3J8TfzltMY3Zz9OFoqqobT6zAjbTSMmsySiZm/uSnkWxsjaSosNt/24mfVbz 62Klgp2kjltf74ps07PKnst8e6/Pp8jhigRXMAdfkngAoT44g8z32DgDvtbYOI0ekavI 6v9oOYrwkttuqFKoVZmWC+GwcO07c1YtbN4i4ygsveufeE4VuIoeVPtwfKcezoXZwh86 zUvdo/zhM6KiKK9ExbFjeaQWladMwm95xeZ2KYqqJ80KPy5mM3u3luJo7HNDu93CI2E4 PQg2Vru1Iq5eA8grJyMZ1TpolXRH8qfdzbPGz02suYGESNPb8GFla1V6U1cBlqMKHYb0 eolw==
X-Gm-Message-State: AHQUAuYftihjiHogVB3q5AOWY6ZUq/bw8iPbw/YsHF7qMkLSKnjIawF+ EETKwfxAzsKBLSwCiyE/WFu5XRMxopQAO5XwbHzmBA==
X-Google-Smtp-Source: AHgI3IZHOhCWRilfmzP29nHl9UvyZHNwNaQ+s7g/n7GuOuM+5CfmFmIIQRubESSz4OCS6rIhPqNjR/riubby1B4anVY=
X-Received: by 2002:a0d:e2ce:: with SMTP id l197mr1672517ywe.226.1550808492783; Thu, 21 Feb 2019 20:08:12 -0800 (PST)
MIME-Version: 1.0
References: <6D78F4B2-A30D-4562-AC21-E4D3DE019D90@consulintel.es> <B6E2EC33-EEAF-40D0-AFCC-BDAFA9134ACD@consulintel.es> <20190220113603.GK71606@Space.Net> <28fbc2c305c640c9afb3704050f6e8d7@boeing.com> <20190220213107.GS71606@Space.Net> <019c552eb1624d348641d6930829fd1f@boeing.com> <CAKD1Yr0HBG+rhyFWg9zh0t3mW486Mjx9umjn+CRqAZg4z9r0dg@mail.gmail.com> <20190221073530.GT71606@Space.Net> <CAO42Z2wmB2W52b4MZ2h9sW5E9cQKm-HRjyf--q8C26jezS7LXQ@mail.gmail.com> <a73818d31db7422b99a524bc431b00ed@boeing.com> <CAO42Z2z9-48Gbb_Exf+oWUqDO=axSLpZBtqeDcxkAoFq5OziGw@mail.gmail.com> <CALx6S3624hnGauG1HaSWPMvQw0t2Q5R3gb8W4R8w3kuK7dcrWQ@mail.gmail.com> <1F07F2BB-2F37-4D12-9731-7892DF4E3D88@consulintel.es> <1470063a-db4b-d2fc-a709-68e30736fbed@si6networks.com> <CALx6S36K5v9gusorEvj_uJjW4YwgERGdoWZOABREMpnqhJWJPw@mail.gmail.com> <DM6PR04MB4009E6096E8CF525931D46A5DD7F0@DM6PR04MB4009.namprd04.prod.outlook.com> <CALx6S36_aOy3273zGM+26z+04xF2q4_iBfj6LkFjX3qvuJZERw@mail.gmail.com> <DM6PR04MB40096241EB14D0526F7131CDDD7F0@DM6PR04MB4009.namprd04.prod.outlook.com>
In-Reply-To: <DM6PR04MB40096241EB14D0526F7131CDDD7F0@DM6PR04MB4009.namprd04.prod.outlook.com>
From: Ca By <cb.list6@gmail.com>
Date: Thu, 21 Feb 2019 21:08:01 -0700
Message-ID: <CAD6AjGRh1z9+N6K423e5kcPFceDXA8CcBX6EJ4uzv80SC_VW-g@mail.gmail.com>
Subject: Re: [v6ops] NAT debate (Re: A common problem with SLAAC in "renumbering" scenarios)
To: Kristian McColm <kristianmccolm@hotmail.com>
Cc: "6man@ietf.org" <6man@ietf.org>, Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, JORDI PALET MARTINEZ <jordi.palet=40consulintel.es@dmarc.ietf.org>, Tom Herbert <tom@herbertland.com>
Content-Type: multipart/alternative; boundary="00000000000053c016058273bd41"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/uoW4zvtAr_VG6BoXQ2vxmgHpcXw>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 04:08:17 -0000

On Thu, Feb 21, 2019 at 8:31 PM Kristian McColm <kristianmccolm@hotmail.com>
wrote:

> Then by that same token, can the end user devices, network services and
> network devices not provide their own packet filtering and other security
> mechanisms rather than forcing all network traffic to traverse centralized
> security devices?
>
> It won't be a popular opinion with network security folks and security
> appliance vendors, but I am a believer that the endpoint device is the
> right place to implement network security. Intermediary network devices
> should not, in my opinion be doing anything other than forwarding packets
> to their destination.
>

+1, i have had a good experience removing stateful devices for the majority
of flows from a large mobile network over the last 5 years as we
transitioned for 464xlat.   No downsides.

And, with larger ipv6 space and random iid, discoverability risk is very
low for 3rd parties / scans / botnets

CB

> ------------------------------
> *From:* Tom Herbert <tom@herbertland.com>
> *Sent:* Thursday, February 21, 2019 9:53:50 PM
> *To:* Kristian McColm
> *Cc:* Fernando Gont; IPv6 Operations; 6man@ietf.org; JORDI PALET MARTINEZ
>
> *Subject:* Re: [v6ops] NAT debate (Re: A common problem with SLAAC in
> "renumbering" scenarios)
>
> On Thu, Feb 21, 2019 at 6:25 PM Kristian McColm
> <kristianmccolm@hotmail.com> wrote:
> >
> > Amen to that. Make the end user devices responsible for their own
> security.
> >
> Kristian,
>
> Devices and applications are already responsible for their own
> security. No serious application or OS would ever rely on the presence
> of an external firewall for its security.
>
> However, there is still some benefit of stateful firewalls to protect
> network resources from attack. So we want the functionality of a
> stateful firewall in stateless solution without any of the annoying
> limitations of stateful devices (like they only work with certain
> protocols, force flows to traverse specific intermediate nodes, are
> single points of failure, etc). FAST ( draft-herbert-fast-00) is one
> proposal for this.
>
> Tom
>
> _______________________________
> > From: v6ops <v6ops-bounces@ietf.org> on behalf of Tom Herbert <
> tom@herbertland.com>
> > Sent: Thursday, February 21, 2019 9:23:38 PM
> > To: Fernando Gont
> > Cc: IPv6 Operations; 6man@ietf.org; JORDI PALET MARTINEZ
> > Subject: Re: [v6ops] NAT debate (Re: A common problem with SLAAC in
> "renumbering" scenarios)
> >
> > On Thu, Feb 21, 2019 at 6:13 PM Fernando Gont <fgont@si6networks.com>
> wrote:
> > >
> > > On 21/2/19 22:58, JORDI PALET MARTINEZ wrote:
> > > >
> > > >     I agreee with that with one exception. I believe that NAT/IPv4
> can
> > > >     offer better privacy in addressing than IPv6 given current addess
> > > >     allocation methods.
> > > >
> > > > I'm for as much privacy as possible, however, not at the cost of
> things such as:
> > > > - Unnecessary complexity increase
> > > > - Moving from peer-to-peer to client-server for everything
> > > > - Single point of failure
> > > > - Increasing the attacks chances by reducing the surface to the
> servers
> > > > - Increase the complexity of app development
> > > > - Complexity to host services in "clients"
> > > > - Complexity to use "freely" and "efficient" DNS
> > > > - etc
> > >
> > > There are two protocols associated with NATs:
> > > 1) Apps that incorporate IP addresses and ports in the app protocol
> > > require an ALG
> > > 2) Because of of the "only allow outgoing connections" side-effect of
> > > NATs, you need UPnP to open holes in the NAT, or some NAT traversal
> > > technique.
> > >
> > >
> > > "1)" goes away when you remove the NAT.
> > >
> > > "2)" does not if you replace the NAT with a stateful firewall that only
> > > allows outgoing connections. -- the majority of the IPv6 deployments
> > > I've seen use this policy/model. And, of course, this is also a single
> > > point of failure, will also increase application complexity, etc.,
> etc.,
> > > etc.
> >
> > So we need to eliminate stateful firewalls as well as NAT...
> >
> > Tom
> >
> > >
> > >
> > >
> > > --
> > > Fernando Gont
> > > SI6 Networks
> > > e-mail: fgont@si6networks.com
> > > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> > >
> > >
> > >
> > >
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>