nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [arin-announce] IPv4 Address Space (fwd)

From: Scott McGrath <mcgrath () fas harvard edu>
Date: Wed, 29 Oct 2003 15:53:35 -0500 (EST)


Life would be much simpler without NAT howver there are non-computer
devices which use the internet to get updates for their firmware that most
of us would prefer not to be globally reachable due to the human error
factor i.e. "Oops forgot a rule to protect X". 

The radar on your cruise ship uses an IP network to communicate with the
chartplotter, GPS, depthsounder do you really want _this_ gear globally
reachable via the internet?.   Remember if it's globally reachable it is 
subject to compromise.

A good example of this is building control systems which get firmware
updates via FTP!!!! from their maker.  Usually there is no manual system
for updating them offline and allowing them to be disconnected from the
internet  as in my opinion they _should_ be.

NAT is not security just look what you can do with sFlow to identify 
machines behind a NAT.   NAT is useful for machines which need to 
periodically make a connection to perform some function involving the 
network. 

This class of devices should not have a globally routable address
because in many cases security on them is less than an afterthought (short
fixed passwords no support for secure protocols, etc)

The other case as pointed out by another poster is overlapping networks 
which need NAT until a renumbering can be accomplished.


                            Scott C. McGrath

On Wed, 29 Oct 2003, Miquel van Smoorenburg wrote:



In article <cistron.Pine.LNX.4.44.0310291228200.29539-100000 () login1 fas harvard edu>,
Scott McGrath  <mcgrath () fas harvard edu> wrote:

And sometimes you use NAT because you really do not want the NAT'ed device
to be globally addressible but it needs to have a link to the outside to 
download updates.  Instrument controllers et.al.


I don't understand. What is the difference between a /24 internal
NATted network, and a /64 internal IPv6 network that is firewalled
off: only paclets to the outside allowed, and packets destined for
the inside need to have a traffic flow associated with it.

As I see it, NAT is just a stateful firewall of sorts. A broken one,
so why not use a non-broken solution ?

We can only hope that IPv6 capable CPE devices have that sort
of stateful firewalling turned on by default. Or start educating
the vendors of these el-cheopo CPE devices so that they will
all have that kind of firewalling enabled before IPv6 becomes
mainstream.

Mike.
Previous By Date Next
Previous By Thread Next

Current thread: