Jonny Martin wrote:
On 17/02/2007, at 10:52 AM, Stuart MacIntosh wrote:
NAT, if my memory serves me right, is not a security mechanism - that is a by-product of it's main goal of preventing the exhaustion of the v4 address space. IMHO (and flame me for this off-list if you want) NAT should not be used as protection - that is something Windows/Microsoft jumped on because the services on the OS were vulnerable, ie it introduced security without the dev's doing much more work.
Correct, but it is a mighty handy side effect of NAT. It's another layer of security that is better than nothing. I would hazard a guess that for the majority (i.e. residential broadband customers), nothing is the alternative. I agree, the security benefits are welcome. In my IPv6 network mr. router applies security in much the same way as a NAT-IPv4 router does.
IPv6 is going to give us true global end-to-end and you guys are talking about not using that??
Not quite, we're indirectly asking the question of whether IPv6 is in fact the best 'next step' for internet users.
My mother doesn't care about end to end connectivity. In fact neither does anyone else in my family. However they do care about being able to 'use the internet' - which is not predicated on end to end connectivity. I think global end-to-end is the only way forward, it's either that or messy IPv4&NAT networks. And since OS's have had it far too easy thanks to NAT, security in IPv6 still needs to be applied at the router level.
The IPv4 NAT/Firewalling idiom can be implemented at the router level in v6 easily. I can't say I have much experience with netsh or IOS but in Netfilter/IPtables we just add rules to the FORWARD table with ip6tables. Something alot of people don't notice is that side-by-side, IPv6 is simpler than IPv4 and NAT.
Cheers, Jonny.
Cheers Jonny, I appreciate your feedback. -- Stuart MacIntosh IT Consultancy & Technical Services Phone: +64 21 2259576 Email: stuart(a)linuxsecurity.co.nz