[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re: Interactive Connectivity Establishment (ICE))

dan_york at Mitel.com dan_york at Mitel.com
Tue Nov 15 21:18:57 CST 2005 

Dustin D. Trammell wrote:

> I think Dan may have been referring to the "security" of NAT not from a
> traffic policy/enforcement perspective, but from an attacker's
> reconnaissance perspective.  <snip>

Yes, that was the point I was making... many IT security people whom I 
know do view
NAT as a form of 'security through obscurity'.  Yes, it's not all that 
much security, but
as you (Dustin) noted, it's sort of like the old question/joke:

Q:  If you and a friend are hiking and suddenly disturb a large, angry, 
hungry bear who turns and chases you, how fast do you have to run?
A:  Just faster than your friend!

My point was that many IT security people view NAT as yet another layer in 
their defenses and 
will not easily give that up.

I do realize that point and the original question has somewhat been lost 
in the fascinating exchange 
that's been going on under this subject line, but I, for one, have enjoyed 
reading the exchange, 
even if I'm only getting a chance to do so now.

Regards,
Dan

-- 
Dan York, CISSP, Director of IP Technology, Office of the CTO
Mitel Corporation   http://www.mitel.com/  dan_york at mitel.com
Ph: +1-613-592-2122   350 Legget Drive, Ottawa, ON, K2K 2W7 Canada
PGP key (F7E3C3B4) available for secure communication





"Dustin D. Trammell" <dtrammell at sipera.com>
11/14/2005 12:13 PM

 
        To:     Geoff Devine <gdevine at cedarpointcom.com>
        cc:     dan_york at Mitel.com, Voipsec at voipsa.org
        Subject:        Re: [VOIPSEC] IPv6 and the demise (or not) of NAT (was Re: Interactive 
Connectivity Establishment (ICE))


On Mon, 2005-11-14 at 07:24 -0500, Geoff Devine wrote:
> The "security" you get with NAT on an edge router/firewall can equally 
be provided in IPv6 by a session border controller/firewall.  It's just 
stateful message filtering policy.  This function isn't going to go away 
and the state of the art in deep packet inspection and policy is only 
going to improve.  In the enterprise space, you're always going to have a 
box on the edge to protect yourself.  In the residential space, I think 
this function will migrate from the home router to the service provider 
for most subscribers as service providers start offering security features 
as product differentiation.

I think Dan may have been referring to the "security" of NAT not from a
traffic policy/enforcement perspective, but from an attacker's
reconnaissance perspective.  By using RFC-1918 addressing internally,
it's difficult (however not impossible) to tell how many hosts are
hiding behind the NAT and what their potential addresses are.  If an
organization is only using addressing assigned to them by a registrar,
whether it be IPv4 or IPv6, a quick look-up at the registrar will at
least get you all potential network addresses for the organization which
also yields a maximum number of potential internal targets.  Using NAT
obscures that information.  Yes, it's security through obscurity, but
occasionally that's all that differentiates you from your neighbor in
regards to which of you is the easier target.  Many network security
folks prefer to not be the lower-hanging fruit (:

-- 
Dustin D. Trammell
Vulnerability Researcher
Sipera Systems Inc. http://www.sipera.com

More information about the Voipsec mailing list