IETF Logo Mail Archive

Re: [v6ops] Thoughts about wider operational input

Joe Maimon <jmaimon@jmaimon.com> Wed, 30 March 2022 21:22 UTC

Return-Path: <jmaimon@jmaimon.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79A0C3A0F04 for <v6ops@ietfa.amsl.com>; Wed, 30 Mar 2022 14:22:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m3fVrAe5QeMD for <v6ops@ietfa.amsl.com>; Wed, 30 Mar 2022 14:22:47 -0700 (PDT)
Received: from smtp.chl.com (smtp.ttec.chl.com [216.222.148.102]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9A533A0EDB for <v6ops@ietf.org>; Wed, 30 Mar 2022 14:22:35 -0700 (PDT)
Received: from [216.222.150.100] (joe.jmaimon.com [216.222.150.100]) by smtp.chl.com (8.13.6/8.13.6) with ESMTP id 22ULMXH4022233; Wed, 30 Mar 2022 16:22:33 -0500
To: Simon <linux@thehobsons.co.uk>, v6ops list <v6ops@ietf.org>
References: <52661a3d-75dc-111a-3f23-09b10d7cb8d4@gmail.com> <A72CDDDB-CDCE-4EAF-B95E-997C764DB2C4@gmail.com> <9175dc32-45c1-e948-c20a-3bcc958b77b9@gmail.com> <YjmJQMNgnJoSInUw@Space.Net> <D75EF08F-6A41-41B2-AFB2-649CBCC1D83E@consulintel.es> <CAPt1N1nRnYUFA=yyJHx6t52yqWbmcd2Tf1H8gQuCZBd3Q3VqJw@mail.gmail.com> <7F4AEB43-4B24-4A21-AE9D-3EB512B98C46@consulintel.es> <8fac4314b8244ba6b33eea68694296d0@huawei.com> <9A13E47B-75D0-443F-9EE9-D2917ACB2D0F@consulintel.es> <CAO42Z2xUG+BXj+VQpajed9aGjH+q-HR7RX7C-T4DsTbouz7xWQ@mail.gmail.com> <F6A90BBF-7F44-403E-960A-8F756353B562@chinatelecom.cn> <725CE5E0-4820-4E70-88C7-DFCF5FC6ED22@thehobsons.co.uk>
From: Joe Maimon <jmaimon@jmaimon.com>
Message-ID: <6244CA19.7070701@jmaimon.com>
Date: Wed, 30 Mar 2022 17:22:33 -0400
User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40
MIME-Version: 1.0
In-Reply-To: <725CE5E0-4820-4E70-88C7-DFCF5FC6ED22@thehobsons.co.uk>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/kvT6O7RKomhg8P7FnMXg0jUg4Zw>
Subject: Re: [v6ops] Thoughts about wider operational input
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 21:22:52 -0000


Simon wrote:
> On 30 Mar 2022, at 07:31, Chongfeng Xie <xiechf@chinatelecom.cn 
> <mailto:xiechf@chinatelecom.cn>> wrote:
>
>> Hi, Mark,
>> Some enterprises do not want to expose their real address in the 
>> network to the outside, so they will use NAT, whether nat44 or nat64 
>> or even nat66 in the future. Therefore, NAT may always exist with the 
>> needs of customers.
>>
>> The technology itself is not right or wrong. It is inappropriate to 
>> directly state whether a technology is good or bad, but whether the 
>> technology is appropriate for specific scenarios. You said there was 
>> a lot of issues with IPv6+NAT,under what scenario? What's are the 
>> issues ? Is it a stateless IPv6+NAT or a stateful IPv6+NAT?
>
> Any form of NAT breaks things<period> That’s the short answer.
>
> Longer answer, any protocol that embeds addresses in it gets broken - 
> e.g. during session setup one end tells the other, please contact me 
> at address X and port Y. That is quite common once you get past a 
> basic “open connection, squirt some data, close session”. Examples 
> that come immediately to mind :

In OSI speak thats a layering violation. An upper level protocol 
incorporates details and assumptions about lower layers as part of its 
operations. Unfortunately, TCP/IP and its application protocols are rife 
with them. Well more than one should expect were proper attention have 
been given to ensure that there was absolutely no equivalent proper way 
to do it.

Just because its common and convenient and usually works or can be made 
to work does not make it correct. Worse, sometimes its considered quite 
clever. PMTUD comes to mind.

<snip>
>
> They all involve developers, and support people, putting effort into 
> implementing the workaround code and support (e.g. adding the settings 
> to the config pages) and users waste effort getting them set up right. 
> All effort that could be better put to productive use rather than 
> fighting broken networks.

In theory, the protocols are broken. If they hadnt taken the easy way 
out, we would not have to work around so many of them.

<snip>
>
>
>
> NAT does no more than even the most basic packet-filter firewall can 
> do if set to a  default of “deny inbound, permit outbound”.

Correct. Which is a good thing. The point is that if turning off NAT 
means no internet communications, you can be fairly certain it will be 
on. No such assumption exist without NAT.

IPv4 NAPT comes a lot closer to secure by default than IPv6 with basic 
state aware packet filters.

> How many decades have all the relevant OSs supported at least a basic 
> packet filter ?

NAT was widespread well before state tracking packet filters were.

> What’s more, a basic packet filter needs less resources (no connection 
> tracking table) than a NAT gateway - a stateful firewall will need (I 
> think) a similar level of resources in terms of tracking connections 
> (perhaps a bit less as it doesn’t need to store two address/port pairs 
> for the inside end of each connection like a NAT gateway does).
>
>
> Simon
>
>
RAM is cheap. Lookup per packet is expensive.

It should be obvious that state-less packet filters are rarely useful or 
even used on the internet of today.

Thats because along with not keeping state, they also require you to do 
things like this if you want your users to browse the web.

access-list out permit any any tcp port 80
access-list in permit any tcp port 80 any port range 1025-65535

Not very convenient or secure.

I know when I can use them and its for situations where the traffic 
flows are extremely well and tightly defined.

Keeping state is what allows a packet filter to have meaningful security 
AND still allow practical bi-directional traffic.

And at that point its the same tracking code as the translation feature 
would need. Not having to munch and mangle bits is some amount of 
performance win, but thats not what you were describing.

State-less packet filters are not germain to an IPv6 vs NAT security 
discussion.

Joe
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email