IETF Logo Mail Archive

Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets

Mark Andrews <marka@isc.org> Fri, 17 August 2012 00:11 UTC

Return-Path: <marka@isc.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7849621F854D; Thu, 16 Aug 2012 17:11:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.149
X-Spam-Level:
X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[AWL=-1.450, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, MANGLED_FROM=2.3]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vdh0bm-+u6-x; Thu, 16 Aug 2012 17:11:36 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id F39AA21F84D1; Thu, 16 Aug 2012 17:11:35 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id 17E51C95E8; Fri, 17 Aug 2012 00:11:28 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:cfc:a4ca:b051:82cf]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id C9D05216C6B; Fri, 17 Aug 2012 00:11:27 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id AA2D123ABFA7; Fri, 17 Aug 2012 10:11:16 +1000 (EST)
To: Warren Kumari <warren@kumari.net>
From: Mark Andrews <marka@isc.org>
References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> <001f01cd7a4e$d05c7390$71155ab0$@asgard.org> <EDA14A02-F441-44AA-B54A-FE0FE8C8C5B8@kumari.net>
In-reply-to: Your message of "Thu, 16 Aug 2012 15:40:15 -0400." <EDA14A02-F441-44AA-B54A-FE0FE8C8C5B8@kumari.net>
Date: Fri, 17 Aug 2012 10:11:16 +1000
Message-Id: <20120817001116.AA2D123ABFA7@drugs.dv.isc.org>
X-Mailman-Approved-At: Thu, 16 Aug 2012 21:52:52 -0700
Cc: 'Fernando Gont' <fgont@si6networks.com>, Lee Howard <lee@asgard.org>, opsec@ietf.org, 'v6ops v6ops WG' <v6ops@ietf.org>
Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2012 00:11:36 -0000

In message <EDA14A02-F441-44AA-B54A-FE0FE8C8C5B8@kumari.net>, Warren Kumari writes:
> 
> On Aug 14, 2012, at 2:58 PM, Lee Howard wrote:
> 
> > 
> 
> > 
> 
> > From: v6ops-bounces@ietf.org [mailto:v6ops-bounces@ietf.org] On Behalf Of
>  Eric Vyncke (evyncke)
> > Sent: Tuesday, August 14, 2012 4:43 AM
> > To: Gunter Van de Velde (gvandeve); opsec@ietf.org; v6ops v6ops WG (v6ops
> @ietf.org)
> > Cc: Fernando Gont
> > Subject: Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opse
> c-ipv6-implications-on-ipv4-nets
> > 
> 
> > -       1.0 please avoid all discussion about NAPT being =91minimal/simpl
> e=92 security, the days of scanning are over and have been replaced by malw
> are download/email propagated
> 
> > This is demonstrably false, and I can send you logs of scanning attempts
> foiled by NAPT.  NAT is crap security, but it=92s not zero security.
> 
> Heretic!
> 
> Actually, I'd go so far as to drop the "crap" from the above -- while it is
> n't "real" security (whatever that means) it has become cool to simply beat
>  on the NAT.
> 
> 
> Yes, it's not awesome, but it *does* help prevent the secretary's desktop f
> rom getting owned quite as often. Yes, he should have it patched, yes it sh
> ould be capable of protecting itself, yes, there should be a "real" securit
> y widget in front of it, but, well=85
> 
> 
> W

But the problem is that people think they need "NAT" as opposed to
a "stateful firewall with default allow out all, block in all".
NAPT effectively establishes the latter + munges with addresses and
ports.  It's the state table not the address/port translation that
stops scans.

Stateless NAT44 or NAT66 doesn't stop scans.

As for the secretary's desktop how many of them would be owned
if LSR was being used to scan 192.168/16 though the NAT box?

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email