[IP] more on IPv6 Forum chief: the new Internet is ready for consumption
Begin forwarded message:
From: "Steven M. Bellovin" <smb@xxxxxxxxxxxxxxx>
Date: November 28, 2005 5:14:38 PM EST
To: dave@xxxxxxxxxx
Subject: Re: [IP] more on IPv6 Forum chief: the new Internet is ready
for consumption
I get rather tired of hearing this myth -- that NATs are a security
feature, and that IPv6 will be less secure than IPv4 if it doesn't have
NATs. It's flat-out not true.
When a packet is emitted from the "inside" of a NAT box, some state is
created, including source address and port number translation tables.
When a packet arrives from the outside, the state table is consulted.
If there is no state table entry, of the sort created by outgoing
packets, the inbound packet is dropped. If the entry exists, some
translations are done and the packet is forwarded.
Now, instead, consider a classic stateful packet filter. When a packet
is emitted from the "inside", some state is created. When a packet
arrives from the outside, the state table is consulted. If there is no
state table entry, of the sort created by outgoing packets, the inbound
packet is dropped. If the entry exists, the packet is forwarded.
In other words, the process and the security functionality is
identical. The *only* difference is whether or not the translations
are done. Evil packets still reach the gateway; security comes from
this box consulting a state table. The translations have nothing
whatsoever to do with it.
Whether or not v6 will create a too rich, unmanageable environment is a
separate issue. I agree that we need much better tools for managing
devices at scale, especially by naive users. I've stated, very
publicly, that improving systems administration is one of the most
important things we can do to improve security. I'm not at all
persuaded that giving up on networked devices is at all desireable.
The partial solution we have today is firewalls. I agree 100% that
firewalls are far from the best way to work; see, for example, slide 3
of http://www.cs.columbia.edu/~smb/talks/security-e2e.pdf, or
http://www.cs.columbia.edu/~smb/papers/distfw.html. But a NAT box is
*not* a firewall; it merely shares some attributes in common with one.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/