nanog mailing list archives
Re: IPv6 uptake (was: The Reg does 240/4)
From: Owen DeLong via NANOG <nanog () nanog org>
Date: Sat, 17 Feb 2024 10:34:59 -0800
Bill, same scenario, but instead of fat fingering an outbound rule, you fat finger a port map for inbound connections to a different host and get the destination address wrong. Still hacked. NAT doesn’t prevent fat fingers from getting you hacked, it just changes the nature of the required fat fingering. Care to talk about trying to track down a compromised host through the audit trail given an abuse report that doesn’t include the source port number? (Oracle even one that happens to include it)? Owen
On Feb 16, 2024, at 17:05, William Herrin <bill () herrin us> wrote: On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas <mike () mtcc com> wrote:If you know which subnets need to be NAT'd don't you also know which ones shouldn't exposed to incoming connections (or conversely, which should be permitted)? It seems to me that all you're doing is moving around where that knowledge is stored? Ie, DHCP so it can give it private address rather than at the firewall knowing which subnets not to allow access? Yes, DHCP can be easily configured to make everything private, but DHCP for static reachable addresses is pretty handy too.Hi Mike, Suppose I have a firewall at 2602:815:6000::1 with an internal network of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a switch that accepts telnet connections with a user/password of admin/admin. On the firewall, I program it to disallow all Internet packets to 2602:815:6001::/64 that are not part of an established connection. Someone tries to telnet to 2602:815:6001::4. What happens? Blocked. Now, I make a mistake on my firewall. I insert a rule intended to allow packets outbound from 2602:815:6001::4 but I fat-finger it and so it allows them inbound to that address instead. Someone tries to telnet to 2602:815:6001::4. What happens? Hacked. Now suppose I have a firewall at 199.33.225.1 with an internal network of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch that accepts telnet connections with a user/password of admin/admin. On the firewall, I program it to do NAT translation from 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which also has the effect of disallowing inbound packets to 192.168.55.0/24 which are not part of an established connection. Someone tries to telnet to 192.168.55.4. What happens? The packet never even reaches my firewall because that IP address doesn't go anywhere on the Internet. Now I make a mistake on my firewall. I insert a rule intended to allow packets outbound from 192.168.55.4 but I fat-finger it and so it allows them inbound to that address instead. Someone tries to telnet to 192.168.55.4. What happens? The packet STILL doesn't reach my firewall because that IP address doesn't go anywhere on the Internet. See the difference? Accessible versus accessible and addressable. Not addressable enhances security. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: IPv6 uptake (was: The Reg does 240/4), (continued)
- Re: IPv6 uptake (was: The Reg does 240/4) John R. Levine (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Ryan Hamel (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Justin Streiner (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Steven Sommars (Feb 18)
- Re: IPv6 uptake Stephen Satchell (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Tom Beecher (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) Jay R. Ashworth (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Matthew Walster via NANOG (Feb 18)
- Re: IPv6 uptake (was: The Reg does 240/4) Daniel Marks via NANOG (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake Michael Thomas (Feb 17)
- Re: IPv6 uptake Mike Hammett (Feb 19)
- Re: IPv6 uptake William Herrin (Feb 19)