nanog mailing list archives
RE: Only 5x IPv4 /8 remaining at IANA
From: "Tony Hain" <alh-ietf () tndh net>
Date: Mon, 18 Oct 2010 09:47:29 -0700
Owen DeLong wrote:
... It's really unfortunate that most people don't understand the distinction. If they did, it would help them to realize that NAT doesn't actually do anything for security, it just helps with address conservation (although it has some limits there, as well).
Actually nat does something for security, it decimates it. Any 'real' security system (physical, technology, ...) includes some form of audit trail. NAT explicitly breaks any form of audit trail, unless you are the one operating the header mangling device. Given that there is no limit to the number of nat devices along a path, there can be no limit to the number of people operating them. This means there is no audit trail, and therefore NO SECURITY.
IPv6 with SI is no less secure than IPv4 with SI+NAT. If you're worried about address and/or topological obfuscation, then, IPv6 offers you privacy addresses with rotating numbers. However, that's more a privacy issue than a security issue, unless you believe in the idea of security through obscurity which is pretty well proven false.
A different way to look at this is less about obscurity, and more about reducing your overall attack surface. A node using a temporal address is vulnerable while that address is live, but as soon as it is released that attack vector goes away. Attackers that harvest addresses through the variety of transactions that a node my conduct will have a limited period of time to try to exploit that. This is not to say that you don't want stateful controls, just that if something inside the stateful firewall has been compromised there will be a limited period of time to use the dated knowledge. Tony
Current thread:
- Only 5x IPv4 /8 remaining at IANA Jeroen Massar (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Stephen D. Strowes (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Paul Thornton (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA ML (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Curtis Maurand (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Owen DeLong (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Henning Brauer (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Jared Mauch (Oct 18)
- RE: Only 5x IPv4 /8 remaining at IANA George Bonser (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Owen DeLong (Oct 18)
- RE: Only 5x IPv4 /8 remaining at IANA Tony Hain (Oct 18)
- RE: Only 5x IPv4 /8 remaining at IANA George Bonser (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Owen DeLong (Oct 18)
- RE: Only 5x IPv4 /8 remaining at IANA George Bonser (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Mark Smith (Oct 19)
- Re: Only 5x IPv4 /8 remaining at IANA ML (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Valdis . Kletnieks (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Andrew Kirch (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA ML (Oct 18)
- Re: Only 5x IPv4 /8 remaining at IANA Jens Link (Oct 19)
- Re: Only 5x IPv4 /8 remaining at IANA Valdis . Kletnieks (Oct 19)
- Re: Only 5x IPv4 /8 remaining at IANA David Freedman (Oct 19)