User: Password:
Subscribe / Log in / New account

OpenSSH bug falls through the cracks

OpenSSH bug falls through the cracks

Posted Apr 16, 2008 21:28 UTC (Wed) by bronson (subscriber, #4806)
In reply to: OpenSSH bug falls through the cracks by zlynx
Parent article: OpenSSH bug falls through the cracks

> NAT and stateful firewall are separate things

NAT is just one policy a stateful firewall can implement.  I wouldn't call that separate.

> NAT is irrelevant to security

NAT is the single easiest to use policy on firewalls shipping today.  And it's disturbingly
effective.  That makes it quite relevant to security doesn't it?

As I've said on this very thread, I loathe NAT.  I really hope IPv6 will do away with it.
And, again, here's the point: before it can, IPv6 needs to provide something better.  Something
even more secure and even easier to administer. [1]

In the last 15 years of watching IPv6 gestate, I haven't seen any work on this front (I don't
follow v6 very closely anymore so it's entirely possible I've missed it; tell me if I have).
Maybe papers have been written, specs hammered out, names and policies standardized, and
Cisco/Linksys, F5, BI, Foundry, NS, etc are all in agreement.  Maybe working software even
exists.  If not, though, I'm afraid IPv6 has a lot of catching up to do.

It doesn't matter how advanced something is, it's worthless if it's not usable by the people
deploying it.  That's why NAT is so popular.  And *that* is where IPv6 needs to do better.
Just dismissing NAT as teh sux is to miss why it's been so successful.  (Hint: the IPv4
shortage is not even an issue yet).

At this point, I feel like I've repeated myself again and am well on my way to looping back
for fourths.  If my point still not clear, I apologize.

    - Scott

[1] NAT is pretty much optimal as far as ease of administration: on / off.  Things go bad if
you need to transit weird protocols like SIP or non-PASV FTP of course.  That's where IPv6
will really shine...  if and when the industry starts making easy to use IPv6 firewalls.

(Log in to post comments)

OpenSSH bug falls through the cracks

Posted Apr 16, 2008 22:42 UTC (Wed) by zlynx (subscriber, #2285) [Link]

OK, you win, I give up.  Everything I said earlier you never bothered to once read.

So sure, someone like you needs NAT.  Enjoy your IPv4 NAT.


Posted Apr 17, 2008 22:14 UTC (Thu) by gvy (guest, #11981) [Link]

I'm afraid you didn't bother reading even worse...

bronson, +1 for nice wrap-up.  It's a pity v6 crowd seems like determined to learn it the hard
way, again.

NAT is a kluge but *not* an egg-head one.  v6 is both a kluge *and* an egg-head one.  This
kind of stuff is usually horrific on deployment.

just in case


Posted Apr 18, 2008 0:23 UTC (Fri) by zlynx (subscriber, #2285) [Link]

bronson's "wrapup" ignored everything I said about stateful firewall being the solution.

I'd love to see his reaction if I were to take whatever router he uses and configure NAT on it
such that every incoming packet maps back to his internal IP address and then tell the
firewall to allow incoming packets.  That is a valid NAT configuration.  Some home routers
call it "DMZ" or "Server".

bronson just won't accept that NAT isn't the security, the firewall is the security.

NAT without security can be had (in Linux terms) by pairing SNAT and DNAT rules or using the
NETMAP target.

Here is IPv6 security without NAT in Linux iptables firewall terms:
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i eth0 -j ACCEPT
ip6tables -A FORWARD -j DROP

Three rules.  No NAT.  Same security.
What would a hypothetical IPv6 home router call this?  Nothing!  It would be the default!  No
complicated knobs and switches.  It cannot get easier!

Explain what I didn't read.

As for bronson not reading me:
I explained how NAT is irrelevant to security.  Then in his last response he repeated how NAT
is an effective security policy.  It's not.  It has nothing to do with security.  As I
explained several times!

Then he repeats that he wants IPv6 to provide something better than NAT before getting rid of
NAT.  It doesn't need to!  It has security through stateful firewall just like current
systems!  As I explained several times!

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds