[LACNIC/Seguridad] El NAT y la seguridad (Cross-post de la lista de NANOG)
Carlos M. Martinez
carlos.martinez en csirt-antel.com.uy
Jue Jun 7 11:58:59 BRT 2007
Hola a todos,
queria compartir con uds un post que hice en la lista de NANOG.
Disculpas por que esta en Inglés. Mi interés es motivar la discusión
sobre NAT y seguridad, discusión que cobra mucha fuerza con el
advenimiento de IPv6
> Hi,
>
> Valdis.Kletnieks en vt.edu wrote:
>>
>> I think somebody on this list mentioned that due to corporate acquisitions,
>> there were legitimate paths between machines that traversed 5 or 6 NATs.
>>
>
> Not 5 or 6, but in my company I could show you paths with 4 NATs. Many of them. And no acquisitions, just different Divisions of the same company.
>
> I once spent three days trying to get the four administrators to talk among themselves and determine where a SYN flood was coming from.
>
> Whatever people say, NAT is a hack. NAT was intended to extend IPv4's lifetime (togher with CIDR they were pretty successful at that) and nothing else.
>
> And as someone said it earlier, instead of promoting layer separation NAT it has promoted "protocol hacking hell".
>
> Please, even the related PIX commands are named after they hackish nature:
>
> "fixup protocol dns"
> "fixup protocol ftp"
>
> This completely destroys the end-to-end nature of application protocols! If someone wants to improve FTP or anything that requires a "fixup", it doesn't suffice to code a server and a client. No, you need to talk to 1.000sh firewall manufacturers so they correct their "fixups".
>
> Which they might or might not do, of course, depending on how they feel that particular day. Talk about vendor lock-in.
>
> In my view, this ossifies the whole Internet development cycle.
>
> And the argument that NAT is easier to administer than a full SI firewall is pretty thin, even if it was true, about what I have my doubts. Moreover, not everything in life should be conditioned to the "easier to administer" argument.
>
> Sorry about the rant :-)
>
> Carlos M.
> ANTEL Uruguay
>
>> But yeah, "Sure, very easily". Whatever you say...
Más información sobre la lista de distribución Seguridad