[ale] V6 question

Michael H. Warfield mhw at WittsEnd.com
Sat Feb 5 15:43:09 EST 2011 

On Sat, 2011-02-05 at 15:10 -0500, Mike Harrison wrote: 
> On Sat, 5 Feb 2011, Michael B. Trausch wrote:
> 
> > On Sat, 2011-02-05 at 12:39 -0500, Mike Harrison wrote:
> >> It also keeps the outside world from connecting to the inside (behind
> >> firewall) world, What functions that way in your above scenerio,
> >> firewall
> >> rules ?
> >
> > Everyone gather round.  Say it with me:
> >
> >                     NAT is not a security mechanism.
> 
> I know that.. I've NAT'd some very large networks with full mapping from 
> Network A IP's to Network B ip's.. All public IP's. I built ASN-3901, and 
> help build several other ISP's. Renumbering was a specialty of mine for a 
> while. I don't do much networking anymore.. I'm rusty and haven't followed 
> the IPv6 trends since 2003 when I cared deeply about such things.

> In the common every day small office or home. NAT is PART
> of the overall strategy of network configuration.
> You made a startling (to me) declaration that NAT is essentially DEAD in 
> IPv6 and we would run public IP's into our home and office network.

NAT is dead in IPv6.  We will run public IP address.  But now we have to
call a spade a spade here.  Now it will be your router and your firewall
on the router that will be providing the filtering mechanism.  That's
what it really was all along, we just falsely told people it was because
they were on private addresses, not that it was because the NAT device
behaves like a firewall.

Just because you're on private address space doesn't mean you're
magically "protected".  Take a look at the STUN protocol sometime.
Simple Translation of UDP over NAT.  It's used by some SIP
implementations for direct peer-to-peer VoIP where both devices are
behind NAT.  There's even a version of STUN that works without the
presence of ANY STUN server in the outside world, and yet can allow two
machines to contact and talk to each other behind NATs (think about
that.  The trick is that it uses spoofed ICMP packets and ICMP error
returns to replace the outside STUN server).  For the record, STUN works
just as well against stateful firewalls too and bypasses them without
batting an eye.

> What replaces the common current practice of a private address space
> (192.168.x.x typically) being used internally for business and home use?
> Surely we don't run it all wide open and public.. or at least, I won't be.

Two totally orthogonal issues.

Private address space still exists.  That's called site-local.  But it
will not be NATed.  You'll also have globals.  Your v6 router and
firewall is what provides you with your security.  You've just been
calling it by the wrong name all this time.

> Even so, I still treat my internal home and office network as hostile.
> Old habits die hard.

That's fine.  Just understand that you are no more secure on private
address space than you are on global v6 addresses behind a firewall.

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110205/a4fff856/attachment.bin

More information about the Ale mailing list