nanog mailing list archives
Re: Rate of growth on IPv6 not fast enough?
From: Mark Andrews <marka () isc org>
Date: Wed, 21 Apr 2010 14:51:37 +1000
In message <FB17BC57-FAB3-45E1-886A-664A0FD42C9E () delong com>, Owen DeLong write s:
On Apr 20, 2010, at 6:34 PM, Karl Auer wrote:On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote:On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote:NAT _always_ fails-closedStateful Inspection can be implemented fail-closed.Not to take issue with either statement in particular, but I think there needs to be some consideration of what "fail" means.I believe we are talking about the case where some engineer fat-fingers a change and Roger's claim is that a stateful inspection without NAT box will permit unintended traffic while a NAT box will not. My claim is that the stateful inspection box can be implemented such that it has an equally secure set of failure modes for fat-fingering to a NAT+stateful inspection device.
Especially when the NAT/Router has a enable/disable NAT checkbox.
Reading through the security alerts from any vendor is a pretty sobering process - stuff fails open more often than you might expect.Yep.So I think we should be very cautious about saying that things "fail open" or "fail closed".My point is not that they do or do not fail closed, but, that a well designed SI firewall will fail with the exact same security risks as a NAT device.We should be especially cautious about it when the functionality we are interested in is really no more than a happy side effect of some other functionality. NAT's "security", to the extent that it exists at all, is a side effect of what it is intended to do, which is translate and map addresses.IOW, All of NAT's security comes from the fact that it requires a state table, like stateful inspection. Owen
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: Rate of growth on IPv6 not fast enough?, (continued)
- Re: Rate of growth on IPv6 not fast enough? Dave Pooser (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Mark Smith (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Jim Burwell (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Dave Sparro (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Cutler James R (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Jack Bates (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Karl Auer (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? joel jaeggli (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Mark Andrews (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Karl Auer (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? joel jaeggli (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? William Herrin (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Mark Smith (Apr 29)
- Re: Rate of growth on IPv6 not fast enough? isabel dias (Apr 29)
- Re: Rate of growth on IPv6 not fast enough? William Herrin (Apr 29)
- Re: Rate of growth on IPv6 not fast enough? Valdis . Kletnieks (Apr 29)
- Re: Rate of growth on IPv6 not fast enough? Simon Perreault (Apr 20)