Re: Does IPv6 preclude use of a NAT gateway?
On 20110712_121304, Scott Ferguson wrote:
> On 12/07/11 07:58, Paul E Condon wrote:
> > On 20110710_225108, Erwan David wrote:
> >> On 10/07/11 20:34, Randy Kramer wrote:
> >>>
> >>>> Also, ipv6 firewalling is very annoying on the gateway (due to
> >>>> the icmpv6 filtering which must be done right). When
> >>>> possible, get a script that does most of it right for you (or
> >>>> check RFC 4890).
> >>>
> >>> Sounds like good advice.
> >>>
> >>> Randy Kramer
> >>>
> >>
> >> shorewall6 is quite good at setting the rules for IPv6.
> >
> > I am puzzled by this discussion. Without going into any features of
> > IPv6, the reason NAT works for IPv4 that I have been taught is the
> > 192.168.xxx.xxx are illegal on the actual internet.
>
> Correction (pedantic semantics), not *illegal*, just not supposed to be
> used in Class A environments (because it won't work). You *will* find
> class C addresses used on internet exposed boxen - you just won't be
> able to load the links (DNS doesn't cope with duplicate IP entries).
>
> > No router is supposed to do anything but drop them. And your NAT box
> > acts as a proper internet router on the side that is connected to
> > the internet. So anyone on the outside cannot send messages to your
> > hosts on the inside because any messages will be dropped long before
> > they get near a box on the inside. It is not NAT, by itself, that
> > offers protection, but NAT with the sure knowledge that packets on
> > the inside are always illegal addresses in the outside. (Proper
> > internet legal address packets ARE legal on the inside. That is how
> > packets requesting web pages from a web site get from your host to
> > your router/NAT.)
>
> An "alternative" explanation is that NAT makes addresses available that
> DNS can't resolve. eg, many boxen behind IPV4 routers have an IP address
> of 192.168.x.x (Class C) - but their modem has a class A address that is
> listed with DNSs.
> Think of it as envelopes and letters - your boxen writes a letter to
> Google asking for search results, puts it in an envelope addressed to
> Google with your boxen's (Class B or C) IP address as the sender - then
> sends the envelope to your router. Your router (even if there's only a
> single "route") removes your letter from the envelope, pins the envelope
> to it's "don't forget" corkboard, and puts the original letter into a
> new envelope addressed to Google, but with it's (the router's modem's)
> Class A address as the sender. That's one side of NAT, and nothing to do
> with firewalling.
> (to simplify I've left out a few details and "router" just means an
> abstracted entity that does NAT for you)
> Google gets the "envelope", opens it, reads the letter, and writes a
> reply - the reply is inserted into a new envelope addressed to your
> router - and sends it off. (note, I'm not treating your modem and router
> as one for simplicity - and not even trying to explain UMTS).
> Your router reverses the sending process to send your boxen Goggle's
> reply (your requested search results).
>
> Your firewall determines what packets from either direction are allowed
> through. NAT only provides the protection of turning off the lights to
> stop burglars - poor analogy, but my point is that there are many ways
> of seeing in the dark house without using your light (where light is
> externally exposed IP addresses).
>
> >
> > Is there something wrong, or incorrect, about this?
> >
> >
>
> A little - if your firewall is not enabled properly than NAT won't stop
> outside packets from machines behind it (sic). It just requires a little
> "bumping around in the dark" or "an inside man with a secret beacon".
> One of the reasons people believe NAT *is* protection is a less than
> full understanding of how it works coupled with the "nothing's happened
> to me, yet" belief. The latter is like declaring you don't have cancer,
> or the bloke who jumps of the 10 storey building - heard declaring "so
> far so good" while passing the 4th floor ;-p i.e. penetration of a
> NAT addressed network from the internet does happen - it's just not
> simple - for the most part it requires "one-stroke" attacks to succeed.
>
> Apropos of little - it's the sort of "non-thinking" that inspires people
> to believe that hiding hacksaws and boltcutters makes Kensington ==
> security (a bit of paper will open them)
>
> NOTE: IP addresses are not the only way to address a particular machine
> from a network...
>
> Apologies for the lack of succinctness - hope your answer is somewhere
> amongst all those words.
>
> Cheers
Thanks Scott, especially for being loquacious enough to drill small holes
in my mental shell. I'm beginning to realize that what I have thought of
as "NAT" is actually real NAT plus whatever else is implemented in the
box I bought at BestBuy, which was marketed by Netgear, and designed by
some people whose identity is totally unknown to me.
It seems to me that it is entirely possible to design a box like the
one I bought that includes all the features/functions needed for good
security in a small home or office. Possible to design by a competent,
but not design by me. So, it might be that my Netgear box provides me
a reasonable level of security for the computers in my home.
It is also possible that my box is a real piece of junk. And it is
possible that my box is adequate for me, but is a real peice of junk
when judged by the standards of industrial grade hardware for the
backbone of the Internet. So, can you give some mildly loguacious
advice about how I might go about discovering whether my Netgear box
really meets my security needs? I have no intention of becoming a
networking security guru. I know (at least some of) my limitations.
In summary, I think OP made the innocent error that I have been making
of over generalizing about NAT. Is there a mix of features and
technologies that is generally accepted as adequate for security of a
small office, or home? And is this mix sold as a single package
through retail channels? And how can I know a good one from a bad one?
Apologies to OP for hi-jacking his thread about IPv6. I hope he also
finds your answers useful.
--
Paul E Condon
pecondon@mesanetworks.net
Reply to: