Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
it's not the wonderful and interesting new bugs that annoy me about IPv6, it's watching the
IPv6 people discover the same things that were discovered and fixed in IPv4 that they missed
becouse they were so busy telling people how important IPv6 is
OpenSSH bug falls through the cracks
Posted Apr 14, 2008 3:20 UTC (Mon) by bronson (subscriber, #4806)
Yeah, that source routing issue last year made my jaw drop. It indicated that IPv6 is
probably somewhere around 10 years less mature than IPv4. Or maybe that the v6 guys are bound
and determined to learn a few well-known and fairly obvious security lessons for themselves.
I keep hoping someone will figure out how to just extend ipv4 so that both protocols can move
over the same wire and apps can be updated with only tiny changes.
Posted Apr 14, 2008 4:11 UTC (Mon) by dlang (✭ supporter ✭, #313)
too many of them are also wedded to the idea that all systems with access to the Internet are
equal, and therefor NAT and firewalls are evil.
becouse of these beliefs, I expect that we will run into many interesting interactions as
people try to use IPv6 for real-world projects and find that things don't work as expected
while I firmly believe that everyone should be able to choose to get onto the Internet at this
level, I am equally strong in my belief that this level of access is not appropriate for all
a couple of examples:
computers in a company that need access to the Internet for limited business functions should
not need to be addressable directly from the outside.
consumers should be able to choose an ISP that acts to protect them (both inbound and outbound
Posted Apr 14, 2008 16:05 UTC (Mon) by zlynx (subscriber, #2285)
I don't believe that many networking people believe "Firewalls are evil." Now, *stupid*
firewalls are evil: I'm tired of running into routes that blindly drop ECN or TCP windows
because they are mangling packets for "security."
NAT *is* evil and should die. It's a hack. The security you like about "NAT" is the
anonymity and rejecting unrequested incoming packets. The semi-random anonymous IPv6 IPs that
Microsoft and others have adopted provide the same anonymity benefits and the "security"
provided by NAT is nothing more than stateful firewalling. NAT did force home
gateway/firewall vendors to provide stateful firewall because many-to-one NAT cannot be done
without it, but in NAT itself there's no security there.
Using "NAT" for security is also a misuse of terms. NAT does include many to one, but it also
includes one to many, many to many, and even IP to IP, port to port translation so that
192.168.1.1:25 connects to 192.168.2.1:25 without blocking any packets at all. There's no
security in such a mapping even though it is NAT all the way.
Posted Apr 14, 2008 16:36 UTC (Mon) by bronson (subscriber, #4806)
True, there's no additional security in NAT. In theory.
In practice, NAT completely changed the way most Windows machines are broken. Back in the
late 90s, Windows machines were usually taken out by smashing some part of the network stack.
Nowadays that pretty much never happens. Almost all attacks go in through the browser, Flash,
or just as trojans via email.
Why? NAT. True, MS did spend a fair amount of time cleaning up their network stack but
that's moot since it's all hidden behind NAT anyway.
I agree, NAT is a horrible horrible thing to do. But it's real-world benefits are
unassailable. It's a non-negotiable one-button firewall deployable worldwide. It
single-handedly cleaned up broken firewalls all over the country, from mountain shacks to
multi-thousand-node office networks. Buy a box, plug it in, and you're safer. Period. No
other network security innovation has brought about such a profound positive change for so
many people, not even SSH.
So, when you say NAT should die (and I'm all for it), you're actually saying that NAT should
be replaced by something even better right? Something that carefully studies the networking
lessons from the last ten years and improves on it? Because simply abandoning NAT would be a
big step backward for most people and would reopen a lot of attack vectors which are currently
The IPv6 team doesn't seem to understand this. Yes, I'm worried.
Posted Apr 14, 2008 17:51 UTC (Mon) by zlynx (subscriber, #2285)
What you appear to have just said is what I said, NAT was good because it forced home user
networking gear to adopt stateful firewalls.
NAT does not need to be replaced by anything. We need home user network gear to abandon it
for IPv6 but keep the stateful firewall features.
Posted Apr 15, 2008 6:58 UTC (Tue) by bronson (subscriber, #4806)
I guess I'm not explaining myself very well.
"Stateful Firewall" is so ambiguous as to be virtually meaningless. Most stateful firewalls
have thousands of knobs, dials, and levers, all sorts of different policies and ACLs... Set
one lever to a wrong position and you get pwned.
Every stateful firewall I've ever seen takes fairly deep networking knowledge to set up and
maintain. And they're all different! Cisco experience doesn't help much with Sonicwall or
Linksys or Netscaler or Barracuda.
NAT, on the other hand, is either on or off. On, you're presumably safe. Off, you're not
safe. Terminology is consistent across all manufacturers. Go ahead and explain how to set up
a NAT to your boss over the phone. He'll catch on pretty quick. And *that* is why NAT has
taken over the world.
So, no. Replacing NATs with stateful firewalls as they exist today would be a big step
backward for network security worldwide.
Do the IPv6 devs realize that they need to consider usability too?
Posted Apr 15, 2008 15:29 UTC (Tue) by zlynx (subscriber, #2285)
You must be talking about serious enterprise level firewalls. Yes, they have a lot of knobs
A home/consumer level IPv6 firewall would look just like a NAT firewall does today. Plug it
in and it allows outgoing traffic and blocks incoming traffic. Nothing hard about that!
And as a point of fact: Many home firewall/router systems also have knobs and switches. My
Linksys wireless router has an Advanced tab with all sorts of complicated things on it.
Also I have no idea why you consider stateful firewall to be an ambiguous term. It's a system
that tracks connection state (or network "flows") and allows firewall block/allow decisions to
be made based on that state.
Posted Apr 15, 2008 19:25 UTC (Tue) by bronson (subscriber, #4806)
> A home/consumer level IPv6 firewall would look just like a NAT firewall does today.
Show me one and I'll happily evaluate it. Until it I actually see one, I'll continue to say
that it needs to be invented. :)
> My Linksys wireless router has an Advanced tab
I'm quite happy with the existence of knobs and levers as long as users don't have to see them
in normal use. Unfortunately, on every firewall I've seen so far, blocking inbound traffic
without using NAT requires the Advanced tab or at least some pretty advanced knowledge.
Picture explaining to a non-technical person how to block all inbound traffic on your Linksys
without using NAT. It will probably turn into a networking lesson. Yes, in theory this is an
easy problem to solve -- it's just UI. In practice, nobody has solved it yet.
> It's a system that tracks connection state (or network "flows") and allows firewall
block/allow decisions to be made based on that state.
That phrase probably describes 99.9% of the firewalls sold today. That's why I consider it
Posted Apr 15, 2008 19:35 UTC (Tue) by zlynx (subscriber, #2285)
> That phrase probably describes 99.9% of the firewalls sold today. That's why I consider it
It isn't ambiguous at all. 99.9% of firewalls today track the connection state. Some old
stuff still in the field is simple packet filter but everything new *is* stateful.
Posted Apr 16, 2008 18:04 UTC (Wed) by bronson (subscriber, #4806)
OK, %s/ambiguous/irrelevant/g :)
Posted Apr 16, 2008 18:24 UTC (Wed) by zlynx (subscriber, #2285)
So then to sum up:
- most every router/firewall already contains stateful firewall
- stateful firewall is what provides security
- NAT and stateful firewall are separate things
- NAT is irrelevant to security
- NAT is irrelevant to anonymity
Why then are you upset that IPv6 discourages NAT?
Why do you want IPv6 routers to use NAT for security?
What benefit do you expect future customers of IPv6 home network gear to get from NAT?
Posted Apr 16, 2008 21:28 UTC (Wed) by bronson (subscriber, #4806)
> NAT and stateful firewall are separate things
NAT is just one policy a stateful firewall can implement. I wouldn't call that separate.
> NAT is irrelevant to security
NAT is the single easiest to use policy on firewalls shipping today. And it's disturbingly
effective. That makes it quite relevant to security doesn't it?
As I've said on this very thread, I loathe NAT. I really hope IPv6 will do away with it.
And, again, here's the point: before it can, IPv6 needs to provide something better. Something
even more secure and even easier to administer. 
In the last 15 years of watching IPv6 gestate, I haven't seen any work on this front (I don't
follow v6 very closely anymore so it's entirely possible I've missed it; tell me if I have).
Maybe papers have been written, specs hammered out, names and policies standardized, and
Cisco/Linksys, F5, BI, Foundry, NS, etc are all in agreement. Maybe working software even
exists. If not, though, I'm afraid IPv6 has a lot of catching up to do.
It doesn't matter how advanced something is, it's worthless if it's not usable by the people
deploying it. That's why NAT is so popular. And *that* is where IPv6 needs to do better.
Just dismissing NAT as teh sux is to miss why it's been so successful. (Hint: the IPv4
shortage is not even an issue yet).
At this point, I feel like I've repeated myself again and am well on my way to looping back
for fourths. If my point still not clear, I apologize.
 NAT is pretty much optimal as far as ease of administration: on / off. Things go bad if
you need to transit weird protocols like SIP or non-PASV FTP of course. That's where IPv6
will really shine... if and when the industry starts making easy to use IPv6 firewalls.
Posted Apr 16, 2008 22:42 UTC (Wed) by zlynx (subscriber, #2285)
OK, you win, I give up. Everything I said earlier you never bothered to once read.
So sure, someone like you needs NAT. Enjoy your IPv4 NAT.
Posted Apr 17, 2008 22:14 UTC (Thu) by gvy (guest, #11981)
I'm afraid you didn't bother reading even worse...
bronson, +1 for nice wrap-up. It's a pity v6 crowd seems like determined to learn it the hard
NAT is a kluge but *not* an egg-head one. v6 is both a kluge *and* an egg-head one. This
kind of stuff is usually horrific on deployment.
just in case
Posted Apr 18, 2008 0:23 UTC (Fri) by zlynx (subscriber, #2285)
bronson's "wrapup" ignored everything I said about stateful firewall being the solution.
I'd love to see his reaction if I were to take whatever router he uses and configure NAT on it
such that every incoming packet maps back to his internal IP address and then tell the
firewall to allow incoming packets. That is a valid NAT configuration. Some home routers
call it "DMZ" or "Server".
bronson just won't accept that NAT isn't the security, the firewall is the security.
NAT without security can be had (in Linux terms) by pairing SNAT and DNAT rules or using the
Here is IPv6 security without NAT in Linux iptables firewall terms:
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i eth0 -j ACCEPT
ip6tables -A FORWARD -j DROP
Three rules. No NAT. Same security.
What would a hypothetical IPv6 home router call this? Nothing! It would be the default! No
complicated knobs and switches. It cannot get easier!
Explain what I didn't read.
As for bronson not reading me:
I explained how NAT is irrelevant to security. Then in his last response he repeated how NAT
is an effective security policy. It's not. It has nothing to do with security. As I
explained several times!
Then he repeats that he wants IPv6 to provide something better than NAT before getting rid of
NAT. It doesn't need to! It has security through stateful firewall just like current
systems! As I explained several times!
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds