On Sat, 2011-01-08 at 10:57 -0700, James McKenzie wrote: > On 1/3/11 6:44 PM, Robert Nichols wrote: > > On 01/03/2011 06:31 PM, Michael H. Warfield wrote: > >> There is a wide spread myth that NAT and the fact that you are on > >> different addresses some how bestows upon you some measure of security. > >> As a leading security researcher, let me impress upon you that nothing > >> could be further from the truth. You can security from the inherent > >> statefulness of your common consumer grade NAT but there are other forms > >> of NAT which do not convey this. Merely the fact that your addresses > >> are mapped do not provide you with any protection. It's the state > >> engine and the dynamic mapping that do this. But, SURPRISE, that > >> exactly what's in a stateful firewall. There is NO intrinsic advantage > >> of NAT over a decent stateful firewall. None. > >> > >> IPv6 also has a number of security advantages over IPv4, not the least > >> of which are "no broadcast address" and "virtually impossible to > >> comprehensively brute force scan". That doesn't mean it can't be > >> scanned (the scans have to be more targeted and intelligent), > > ... > > > > The problem that I see is that any system to which I have ever made a > > connection now has a nice, routable IPv6 address back to the machine > > that made the connection and can start probing that machine to see if > > any vulnerable services might have been inadvertently left listening > > on that interface. No problem if it's a well secured file server, > > but it could also be an internet-aware HDTV or video recorder where > > I have no control over the internal OS. Sounds like all traffic will > > now have to have to be routed through an external IPv6 SPI firewall > > appliance. You no doubt have one of those, but I certainly don't, > > and I suspect one would cost a bit more than my $35 NAT router, plus > > being a bit beyond the administrative abilities of the average home > > user. > You really have to look at the IP v6 spec. First, YOU HAVE to use > ipsec. Oh lord WHY can we NOT make this myth go away?!?! The IPv6 spec does NOT mandate the USE of IPsec. It only mandates the SUPPORT of IPsec. To be IPv6 compliant you must support it. You do NOT have to use it. The IETF has tried to be very clear on this and I've sat in on some of the working groups discussing it. I've been on the global IPv6 network over over a decade now and not used IPsec on IPv6. I've used IPsec on IPv4 (and I'm a code contributer to the Openswan project) to help facilitate IPv6 tunnels over firewalls and broken (redundant) NAT gateways. I can use IPsec on IPv6 and, if I use IKE2, I can even tunnel IPv6 directly on IPv4 in ESP (with version 1 IKE you have to use SIT on top of ESP in order to tunnel IPv6 on IPv4 through IPsec). But, I don't need to so I don't. You don't have to use IPsec. > So, this eliminates some of the major problems with IP v4. Now, that's worthy of a philosophical debate. Many of the major problems with IPv4 are NOT fixed with IPsec but are fixed by IPv6. On example is the whole broadcast address fiasco. > Second, blocks of addresses are going to be assigned like IP v4 today. > You can block all of China if you want (or any other country/ISP/whatever). > Third, it is way more secure than IP v4. It was designed that way. On that, I will largely concur. The biggest, by far, security problems with IPv6 are ignorance on the part of the IPv4 community (by which they ignore IPv6 thinking it's not on their networks yet they can still be attacked and compromised over IPv6) and importing of IPv4 mind-think into the IPv6 arena. IPv6 is NOT just IPv4 with fat addresses. There is a paradigm shift here. If you act like you did with IPv4 and assign static addresses, 1, 2, 3, 4, 5, etc... you are giving up some of the value and security inherent in IPv6. You make yourself vulnerable to brute force scanning ala IPv4. Best practices in IPv4 are not (necessarily) best practices in IPv6 and vice versa. > NAT, by its nature, does not offer any of the above. It offers > obscurity, but that has been overcome. Absolutely agree. NAT - literally "Network Address Translation", the concept not some specific implementation, does NOT convey any inherent security that can not be derived from a non-translating stateful firewall which does not introduce the same brokenness of NAT. > James McKenzie > > -- > users mailing list > users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines