IETF Logo Mail Archive

Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets

"Lee Howard" <lee@asgard.org> Fri, 17 August 2012 15:15 UTC

Return-Path: <lee@asgard.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DB9021E8045 for <v6ops@ietfa.amsl.com>; Fri, 17 Aug 2012 08:15:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.513
X-Spam-Level:
X-Spam-Status: No, score=-1.513 tagged_above=-999 required=5 tests=[AWL=1.087, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYngWOGpxaly for <v6ops@ietfa.amsl.com>; Fri, 17 Aug 2012 08:15:51 -0700 (PDT)
Received: from omr9.networksolutionsemail.com (omr9.networksolutionsemail.com [205.178.146.59]) by ietfa.amsl.com (Postfix) with ESMTP id 58D0511E80D5 for <v6ops@ietf.org>; Fri, 17 Aug 2012 08:15:51 -0700 (PDT)
Received: from cm-omr8 (mail.networksolutionsemail.com [205.178.146.50]) by omr9.networksolutionsemail.com (8.13.8/8.13.8) with ESMTP id q7HFFolH019968 for <v6ops@ietf.org>; Fri, 17 Aug 2012 11:15:50 -0400
Authentication-Results: cm-omr8 smtp.user=lee@asgard.org; auth=pass (LOGIN)
X-Authenticated-UID: lee@asgard.org
Received: from [204.235.115.163] ([204.235.115.163:18490] helo=HDC00042402) by cm-omr8 (envelope-from <lee@asgard.org>) (ecelerity 2.2.2.41 r(31179/31189)) with ESMTPA id 68/42-11452-6206E205; Fri, 17 Aug 2012 11:15:50 -0400
From: Lee Howard <lee@asgard.org>
To: 'Mark Andrews' <marka@isc.org>, 'Warren Kumari' <warren@kumari.net>
References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> <001f01cd7a4e$d05c7390$71155ab0$@asgard.org> <EDA14A02-F441-44AA-B54A-FE0FE8C8C5B8@kumari.net> <20120817001116.AA2D123ABFA7@drugs.dv.isc.org>
In-Reply-To: <20120817001116.AA2D123ABFA7@drugs.dv.isc.org>
Date: Fri, 17 Aug 2012 11:15:49 -0400
Message-ID: <000001cd7c8b$2fb8a1e0$8f29e5a0$@asgard.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGGlPLakFxZCTrqhE95LHJwbjJ3AQK/mXl8AqNTmP4CG5HaMANbc19el5UYViA=
Content-Language: en-us
Cc: 'Fernando Gont' <fgont@si6networks.com>, 'v6ops v6ops WG' <v6ops@ietf.org>, opsec@ietf.org
Subject: Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2012 15:15:52 -0000

> > > -       1.0 please avoid all discussion about NAPT being
=91minimal/simpl
> > e=92 security, the days of scanning are over and have been replaced by
> > malw are download/email propagated
> >
> > > This is demonstrably false, and I can send you logs of scanning
> > > attempts
> > foiled by NAPT.  NAT is crap security, but it=92s not zero security.
> >
> > Heretic!
> >
> > Actually, I'd go so far as to drop the "crap" from the above -- while
> > it is n't "real" security (whatever that means) it has become cool to
> > simply beat  on the NAT.
>
> But the problem is that people think they need "NAT" as opposed to a
"stateful firewall with
> default allow out all, block in all".
> NAPT effectively establishes the latter + munges with addresses and ports.
It's the state table
> not the address/port translation that stops scans.

That is true, but is not a flaw in the document.  
The offending text is:
Finally,
   some transition/co-existence mechanisms (notably Teredo) are designed
   to traverse Network Address Translators (NATs), which in many
   deployments provide a minimum level of protection by only allowing
   those instances of communication that have been initiated from the
   internal network.  Thus, these mechanisms might cause an internal
   host with otherwise limited IPv4 connectivity to become globally
   reachable over IPv6, therefore resulting in increased (and possibly
   unexpected) host exposure.  That is, the aforementioned technologies
   might inadvertently allow incoming IPv6 connections from the Internet
   to hosts behind the organizational firewall.

Would you be happy if it said:
   to traverse Network Address Translators (NATs), which, by keeping a
  state table and only allowing inbound packets to hosts which have
  established outbound communication, provides a minimum level of
protection. . . 

I don't think a more thorough discussion of the different risk profiles of
full
cone versus symmetric NAT, etc., is warranted here.  I absolutely agree that

networks should have a stateful firewall.  Would you say that a stateful
firewall is *even more important* now (with IPv6 ramping up) than it ever
was before?   

> Stateless NAT44 or NAT66 doesn't stop scans.

True.  How is that relevant to a discussion of how unintentional IPv6 may
affect
IPv4 networks?
 
> As for the secretary's desktop how many of them would be owned if LSR was
being used to
> scan 192.168/16 though the NAT box?

Fewer than if it were even easier.  Again, not really the point of the
document.

Lee


> 
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email