Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets
"Lee Howard" <lee@asgard.org> Fri, 17 August 2012 15:15 UTC
Return-Path: <lee@asgard.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 303C311E80D5 for <opsec@ietfa.amsl.com>; Fri, 17 Aug 2012 08:15:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.73
X-Spam-Level:
X-Spam-Status: No, score=-1.73 tagged_above=-999 required=5 tests=[AWL=0.869, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6I7GIYk2W9e for <opsec@ietfa.amsl.com>; Fri, 17 Aug 2012 08:15:51 -0700 (PDT)
Received: from omr4.networksolutionsemail.com (omr4.networksolutionsemail.com [205.178.146.54]) by ietfa.amsl.com (Postfix) with ESMTP id 8D19821E8034 for <opsec@ietf.org>; Fri, 17 Aug 2012 08:15:51 -0700 (PDT)
Received: from cm-omr8 (mail.networksolutionsemail.com [205.178.146.50]) by omr4.networksolutionsemail.com (8.14.4/8.14.4) with ESMTP id q7HFFoqf008201 for <opsec@ietf.org>; Fri, 17 Aug 2012 11:15:50 -0400
Authentication-Results: cm-omr8 smtp.user=lee@asgard.org; auth=pass (LOGIN)
X-Authenticated-UID: lee@asgard.org
Received: from [204.235.115.163] ([204.235.115.163:18490] helo=HDC00042402) by cm-omr8 (envelope-from <lee@asgard.org>) (ecelerity 2.2.2.41 r(31179/31189)) with ESMTPA id 68/42-11452-6206E205; Fri, 17 Aug 2012 11:15:50 -0400
From: Lee Howard <lee@asgard.org>
To: 'Mark Andrews' <marka@isc.org>, 'Warren Kumari' <warren@kumari.net>
References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> <001f01cd7a4e$d05c7390$71155ab0$@asgard.org> <EDA14A02-F441-44AA-B54A-FE0FE8C8C5B8@kumari.net> <20120817001116.AA2D123ABFA7@drugs.dv.isc.org>
In-Reply-To: <20120817001116.AA2D123ABFA7@drugs.dv.isc.org>
Date: Fri, 17 Aug 2012 11:15:49 -0400
Message-ID: <000001cd7c8b$2fb8a1e0$8f29e5a0$@asgard.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGGlPLakFxZCTrqhE95LHJwbjJ3AQK/mXl8AqNTmP4CG5HaMANbc19el5UYViA=
Content-Language: en-us
Cc: 'Fernando Gont' <fgont@si6networks.com>, 'v6ops v6ops WG' <v6ops@ietf.org>, opsec@ietf.org
Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2012 15:15:52 -0000
> > > - 1.0 please avoid all discussion about NAPT being =91minimal/simpl > > e=92 security, the days of scanning are over and have been replaced by > > malw are download/email propagated > > > > > This is demonstrably false, and I can send you logs of scanning > > > attempts > > foiled by NAPT. NAT is crap security, but it=92s not zero security. > > > > Heretic! > > > > Actually, I'd go so far as to drop the "crap" from the above -- while > > it is n't "real" security (whatever that means) it has become cool to > > simply beat on the NAT. > > But the problem is that people think they need "NAT" as opposed to a "stateful firewall with > default allow out all, block in all". > NAPT effectively establishes the latter + munges with addresses and ports. It's the state table > not the address/port translation that stops scans. That is true, but is not a flaw in the document. The offending text is: Finally, some transition/co-existence mechanisms (notably Teredo) are designed to traverse Network Address Translators (NATs), which in many deployments provide a minimum level of protection by only allowing those instances of communication that have been initiated from the internal network. Thus, these mechanisms might cause an internal host with otherwise limited IPv4 connectivity to become globally reachable over IPv6, therefore resulting in increased (and possibly unexpected) host exposure. That is, the aforementioned technologies might inadvertently allow incoming IPv6 connections from the Internet to hosts behind the organizational firewall. Would you be happy if it said: to traverse Network Address Translators (NATs), which, by keeping a state table and only allowing inbound packets to hosts which have established outbound communication, provides a minimum level of protection. . . I don't think a more thorough discussion of the different risk profiles of full cone versus symmetric NAT, etc., is warranted here. I absolutely agree that networks should have a stateful firewall. Would you say that a stateful firewall is *even more important* now (with IPv6 ramping up) than it ever was before? > Stateless NAT44 or NAT66 doesn't stop scans. True. How is that relevant to a discussion of how unintentional IPv6 may affect IPv4 networks? > As for the secretary's desktop how many of them would be owned if LSR was being used to > scan 192.168/16 though the NAT box? Fewer than if it were even easier. Again, not really the point of the document. Lee > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [OPSEC] 3 Volunteers wanted - Draft: draft-gont-o… Gunter Van de Velde (gvandeve)
- Re: [OPSEC] 3 Volunteers wanted - Draft: draft-go… Gunter Van de Velde (gvandeve)
- Re: [OPSEC] 3 Volunteers wanted - Draft: draft-go… Smith, Donald
- Re: [OPSEC] 3 Volunteers wanted - Draft: draft-go… Panos Kampanakis (pkampana)
- Re: [OPSEC] 3 Volunteers wanted - Draft: draft-go… Eric Vyncke (evyncke)
- Re: [OPSEC] 3 Volunteers wanted - Draft: draft-go… Fernando Gont
- Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: … Fernando Gont
- Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implicat… Panos Kampanakis (pkampana)
- Re: [OPSEC] 3 Volunteers wanted - Draft: draft-go… Panos Kampanakis (pkampana)
- Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: … Smith, Donald
- Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implicat… Fernando Gont
- Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implicat… Panos Kampanakis (pkampana)
- Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implicat… Fernando Gont
- Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: … Fernando Gont
- Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: … Smith, Donald
- Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: … Fernando Gont
- Re: [OPSEC] 3 Volunteers wanted - Draft: draft-go… Eric Vyncke (evyncke)
- Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implicat… Fernando Gont
- Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implicat… Eric Vyncke (evyncke)
- Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implicat… Panos Kampanakis (pkampana)
- Re: [OPSEC] 3 Volunteers wanted - Draft: draft-go… Smith, Donald
- Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: … Lee Howard
- Re: [OPSEC] 3 Volunteers wanted - Draft: draft-go… Fernando Gont
- Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: … Warren Kumari
- Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: … Mark Andrews
- Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: … Lee Howard
- Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: … Warren Kumari