[ale] V6 question

Michael H. Warfield mhw at WittsEnd.com
Wed Feb 9 14:19:36 EST 2011


On Wed, 2011-02-09 at 13:43 -0500, Greg Freemyer wrote: 
> Richard,

> I gather Michael is saying the consumer box most users have is combo
> fireware / NAT device.

> And all the security comes from the firewall function, not the NAT function.

> Somewhere he said NATs do exist with zero firewall functionality and
> thus the outside world can get to anything on the inside.  I admit to
> never having seen one.

There are two types of such devices which we have seen deployed.  One is
totally static and one is a "true" NAT as oppose to a consumer NAT,
which is really a NATPT (Network Address Translation Port Translation).

The later is used in cases of n:m NATs where n > m.

Example I gave in another thread is a university out on the west coast
has a /16 public address space and uses the /8 10. space internally.
Everyone gets a 10. address when connecting, including the multitude of
mobile devices inside.  When someone authenticates to the ALG, it maps
public address to their private address in the NAT tables with all ports
option.  Straight NAT.  It's only mapping addresses.  It's not mapping
ports or is it firewalling any ports.  How far do you think those
private addresses get you there.

In other known cases, mergers between companies have left companies in
the situation where they must map addresses from the acquired company
into their address space.  In this case, they do a n:m NAT where n == m
and they do a static range map.  Like everything from 10.1.a.b gets
mapped to 10.250.a.b in a simple static NAT map.  Again, the mere fact
that you are translating addresses buys you nothing, security wise.

In the consumer grade NATPT device, the "NAT" that everyone is referring
to consists of two internal components.  The NAT mapping table and the
state engine that drives it.  If you replace the NAT mapping table with
a simple port filter controlled by the state engine, you do no NAT
mapping (1:1) and you have the exact same security as you do if you do
the NAT mapping.  The act of translating addresses purely in and of
itself buys you nothing.  It's the statefulness of the consumer grade
NAT devices that makes the act like a firewall whether or not the
"firewall" that is the marketing feature is enabled or not.  It's still
acting like a firewall and can be replaced by one.

> I assume a NAT like that has to have a public rout-able IP for every
> device on the other side of the NAT.

That's is one of my examples above of an n:m NAT where n == m.  You can
still have the other case n > m where you can do dynamic address NATing
without invoking port mapping or port filtering, as in the other case.
Both are deployed and in production at locations (albeit LARGE
locations) right now.  Both cases are NAT.  Everyone else is talking
about a more specific (even if it is numerically more common)
implementation while still using the the very generic term and that's
misleading.

> Greg

Mike

> On Wed, Feb 9, 2011 at 8:28 AM, Richard Bronosky <Richard at bronosky.com> wrote:
> > You may be correct, but if not for NAT windows users would have no security
> > at all.
> >
> > On Feb 5, 2011 12:47 PM, "Michael B. Trausch" <mike at trausch.us> wrote:
> >
> > On Sat, 2011-02-05 at 12:39 -0500, Mike Harrison wrote:
> >> It also keeps the outside world from conne...
> >
> > Everyone gather round.  Say it with me:
> >
> >                     NAT is not a security mechanism.
> >
> > Seriously.  I mean it.
> >
> >         Let me repeat that: NAT is not a security mechanism.
> >
> > It was intended to enable privately addressed networks to have limited
> > communication with hosts on the Internet.  It has the side effect of
> > using tables to figure out how to rewrite packets, but this does not
> > provide any security.  It does not.
> >
> >           One more time: NAT IS NOT A SECURITY MECHANISM.
> >
> > Or to put it another way:  NAT is as effective at providing security for
> > your network as groping at airports is for providing security there.
> > It's all a show; it's faux security that makes people feel better but
> > does not serve any real purpose.
> >
> > I've gone on about NAT recently in other threads here.  You can find
> > those, or you can read the post I wrote in my blog about NAT if you
> > want:
> >
> > http://mike.trausch.us/blog/2011/01/31/more-about-networking-part-2-nat/
> >
> >        --- Mike
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
> >
> 
> 
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110209/ebe75223/attachment.bin 


More information about the Ale mailing list