Re: [v6ops] Thoughts about wider operational input

[JORDI PALET MARTINEZ <jordi.palet@consulintel.es>]

What I'm saying is that if you don't have a NAT you will need to ensure that the CPE has a firewall and it is enabled by default. It is not only in the interest of the subscriber, but also the ISP, to avoid calls to the help desk, or abuse cases, etc., etc.

Regads,
Jordi
@jordipalet
 
 

El 30/3/22, 22:17, "Joe Maimon" <jmaimon@jmaimon.com> escribió:



    JORDI PALET MARTINEZ wrote:
    > Because if you don't have NAT, you are forced to properly configure a firewall.

    That is backwards.

    NAT requires state management to operate. What exactly is forcing the 
    existence of a firewall, let alone its proper configuration?

    NAT is an operational requirement. You have it because without it 
    something does not work the way you want it to.

    Firewalls are a security requirement. You implement them because without 
    it something you do not want to work might or even probably will.

    Take car insurance as an example. Even where not legally mandated 
    (anywhere?) its an obvious practical necessity. Yet, uninsured drivers 
    and cars abound on the road. Because lack of insurance doesnt interfere 
    with the ability to operate the vehicle. Its not an operational requirement.

    Operational requirements meet my definition of "force". Security 
    requirements, decidedly less so as has been painfully and universally 
    obvious for decades. Or should be.

    As far as the proper configuration of one? Proving your NAT is 
    sufficiently properly configured. Easy. The firewall? Impractical to 
    impossible, its a negative theorum.

    Restated correctly: Without NAT, you must choose to implement a firewall 
    for it to exist. Perhaps properly. Likely not. Fixed that for you.

    Or:

    Because if you don't have NAT, unless you choose to properly configure a 
    firewall, you will not have one either, properly configured or otherwise.

    >
    > With a NAT, many don't even have a firewall or is not sufficiently well configured.

    Please explain how removing the near universal existence of NAT improves 
    this situation. Do you somehow believe that there will be the equivalent 
    or even greater number of deployments and users who actively choose to 
    deploy firewalling as a result of the global routability of their 
    addressing and the lack of NAT, and that now having made that choice it 
    will as matter of course be followed by the choice to do so in the 
    utmost correct, stringent and sufficient fashion? Farcical.

    At least with the existence of NAT there also exists some level of state 
    management and unsolicited incoming traffic constraints from reaching 
    the internal network nodes. By default, by dint of them being 
    operationally on the internet.

    Joe


    >
    > Regards,
    > Jordi
    > @jordipalet
    >   
    >   
    >
    > El 30/3/22, 17:58, "v6ops en nombre de Joe Maimon" <v6ops-bounces@ietf.org en nombre de jmaimon@jmaimon.com> escribió:
    >
    >
    >
    >      JORDI PALET MARTINEZ wrote:
    >      >
    >      > To demonstrate how NAT is not security, you just need to enable Teredo
    >      > or any other UDP tunneling traversing the NAT, so the security guys
    >      > can see that without any special config in the NAT, you can dig a
    >      > whole on it (Teredo Navalis = Shipworm).
    >      >
    >      > Regards,
    >      >
    >      > Jordi
    >      >
    >      > @jordipalet
    >      >
    >
    >      And then you need to demonstrate how the equivalent would not happen on
    >      IPv6.
    >
    >      Joe
    >
    >      _______________________________________________
    >      v6ops mailing list
    >      v6ops@ietf.org
    >      https://www.ietf.org/mailman/listinfo/v6ops
    >
    >
    >
    > **********************************************
    > IPv4 is over
    > Are you ready for the new Internet ?
    > http://www.theipv6company.com
    > The IPv6 Company
    >
    > This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
    >
    >
    >
    > _______________________________________________
    > v6ops mailing list
    > v6ops@ietf.org
    > https://www.ietf.org/mailman/listinfo/v6ops
    >
    >




**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.