Michael H. Warfield
mhw at WittsEnd.com
Sat Jan 8 18:16:17 UTC 2011
On Sat, 2011-01-08 at 10:57 -0700, James McKenzie wrote:
> On 1/3/11 6:44 PM, Robert Nichols wrote:
> > On 01/03/2011 06:31 PM, Michael H. Warfield wrote:
> >> There is a wide spread myth that NAT and the fact that you are on
> >> different addresses some how bestows upon you some measure of security.
> >> As a leading security researcher, let me impress upon you that nothing
> >> could be further from the truth. You can security from the inherent
> >> statefulness of your common consumer grade NAT but there are other forms
> >> of NAT which do not convey this. Merely the fact that your addresses
> >> are mapped do not provide you with any protection. It's the state
> >> engine and the dynamic mapping that do this. But, SURPRISE, that
> >> exactly what's in a stateful firewall. There is NO intrinsic advantage
> >> of NAT over a decent stateful firewall. None.
> >> IPv6 also has a number of security advantages over IPv4, not the least
> >> of which are "no broadcast address" and "virtually impossible to
> >> comprehensively brute force scan". That doesn't mean it can't be
> >> scanned (the scans have to be more targeted and intelligent),
> > ...
> > The problem that I see is that any system to which I have ever made a
> > connection now has a nice, routable IPv6 address back to the machine
> > that made the connection and can start probing that machine to see if
> > any vulnerable services might have been inadvertently left listening
> > on that interface. No problem if it's a well secured file server,
> > but it could also be an internet-aware HDTV or video recorder where
> > I have no control over the internal OS. Sounds like all traffic will
> > now have to have to be routed through an external IPv6 SPI firewall
> > appliance. You no doubt have one of those, but I certainly don't,
> > and I suspect one would cost a bit more than my $35 NAT router, plus
> > being a bit beyond the administrative abilities of the average home
> > user.
> You really have to look at the IP v6 spec. First, YOU HAVE to use
Oh lord WHY can we NOT make this myth go away?!?! The IPv6 spec does
NOT mandate the USE of IPsec. It only mandates the SUPPORT of IPsec.
To be IPv6 compliant you must support it. You do NOT have to use it.
The IETF has tried to be very clear on this and I've sat in on some of
the working groups discussing it. I've been on the global IPv6 network
over over a decade now and not used IPsec on IPv6. I've used IPsec on
IPv4 (and I'm a code contributer to the Openswan project) to help
facilitate IPv6 tunnels over firewalls and broken (redundant) NAT
gateways. I can use IPsec on IPv6 and, if I use IKE2, I can even tunnel
IPv6 directly on IPv4 in ESP (with version 1 IKE you have to use SIT on
top of ESP in order to tunnel IPv6 on IPv4 through IPsec). But, I don't
need to so I don't. You don't have to use IPsec.
> So, this eliminates some of the major problems with IP v4.
Now, that's worthy of a philosophical debate. Many of the major
problems with IPv4 are NOT fixed with IPsec but are fixed by IPv6. On
example is the whole broadcast address fiasco.
> Second, blocks of addresses are going to be assigned like IP v4 today.
> You can block all of China if you want (or any other country/ISP/whatever).
> Third, it is way more secure than IP v4. It was designed that way.
On that, I will largely concur. The biggest, by far, security problems
with IPv6 are ignorance on the part of the IPv4 community (by which they
ignore IPv6 thinking it's not on their networks yet they can still be
attacked and compromised over IPv6) and importing of IPv4 mind-think
into the IPv6 arena. IPv6 is NOT just IPv4 with fat addresses. There
is a paradigm shift here. If you act like you did with IPv4 and assign
static addresses, 1, 2, 3, 4, 5, etc... you are giving up some of the
value and security inherent in IPv6. You make yourself vulnerable to
brute force scanning ala IPv4. Best practices in IPv4 are not
(necessarily) best practices in IPv6 and vice versa.
> NAT, by its nature, does not offer any of the above. It offers
> obscurity, but that has been overcome.
Absolutely agree. NAT - literally "Network Address Translation", the
concept not some specific implementation, does NOT convey any inherent
security that can not be derived from a non-translating stateful
firewall which does not introduce the same brokenness of NAT.
> James McKenzie
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110108/8a8ce52d/attachment.bin
More information about the users