yeah but the likelihood of this is incredibly remote. It would shock me if ISPs didn't have alarms going off if RFC1918 space was suddenly routable within their BGP table.
Not to mention the return packet would be NAT'd so the attacker would have to deal with that complication.
The return packet wouldn't be NATed, because stateful NAT tracks connections and only applies NAT to packets that belong to outbound connections.
Arguing over how likely this is is missing the point. If it can happen at all when you're running NAT, then it should be clear that NAT isn't providing security.
“if it protects 99.999% of attackers from reaching you but not this one specific attacker in this one case of misconfiguration, it’s not providing security”…
Dude, that’s a really shitty take and this is why people that do care about security end up ignoring advice from anyone who thinks this way.
You’re in the camp of “don’t use condoms because they can break”.
NAT doesn't protect you from 99.999% of attackers though. It doesn't do anything to incoming connections, so it actually protects you from 0% of attackers.
Okay, but unless you've poked a hole through NAT (and if you have, presumably you know what you're doing), what are those incoming connections going to connect to?
If there's nothing to connect to, is there really an incoming connection?
They connect to whatever IP is specified in the packet's "destination IP" header field. It's exactly the same behavior as if there was no NAT going on.
The same problem applies to masquerading. Routers are happy to route packets they receive, and NAT (in whatever form) isn't the tool you use to drop those packets.
> Do you have any examples of NAT that isn't implemented in a more general firewall subsystem?
When I was a network engineer, we did NAT on edge routers for B2B connections all the time. Like literally hundreds of thousands of them. I am 100% serious on this.
My understanding is that almost all edge routers provide at least basic firewalling, not just pure routing. How were you “doing NAT” on the edge routers you were using otherwise?
(Baring in mind that what most people are referring to as NAT here and elsewhere is “IP masquerading with connection tracking” rather than simple static SNAT & DNAT)
In an enterprise network, it's very, very unlikely that an edge router is doing any firewalling. They can do it, but it's not only cumbersome to do it there, but also a massive resource drain.
Often they do basic stateless packet filtering, but definitely nothing akin to stateful, connection-oriented firewalling. It's important to make the distinction, because filtering in this case is completely uni-directional and if you want bi-directional equivalence you have to write an inverse rule for it. Filtering polices are applied per interface, so generally you apply them on the outside only.
Think of it as sort of a reverse of an inbound Internet policy - you write all the drop stuff first (e.g. drop any any eq snmp) and the last rule is a permit ip any any. Next hop is your firewall which does the rest.
For site-tos-site b2b connections, we performed NAT (of the untrusted network space) on the border/edge b2b router, and then the traffic was immediately routed to the firewall. So in this instance, NAT was happening on the router for the customer IP range, and on the firewall for our enterprise IP range.
As a convenience to our customers/partners we always presented ourselves as one of our public IP blocks that wasn't Internet-routed. This prevented them from having any overlapping IP space.
Otherwise, NAT is simply a question of configuring it. And at least in the cisco IOS world (I'm a dinosaur) the two features (NAT vs. firewall) are utterly independent.
> but definitely nothing akin to stateful, connection-oriented firewalling
This is where my confusion comes in, I think.
Surely the variety of NAT that significantly improves the IPv4 address starvation problem (IP Masq by its various names) requires a connection oriented approach to be effective? Maybe not as far as more advanced conntrack rules (trying to get connect-back based protocols to work) but even just a basic stream-over-one port protocol needs basic connection tracking so return packets get back to the right host? If you have enough resource to do that then you have more than enough resource to do the basic “block all external apart from these configured addr+port->addr+port combinations” for IPv6 that is all the protection NAT affords you by accident for IPv4.
> Surely the variety of NAT that significantly improves the IPv4 address starvation problem (IP Masq by its various names) requires a connection oriented approach to be effective?
Actually it doesn't. Well, not really.
With NAT you're generally talking about either 1:1 or 1:many (Masquerading).
In all cases the device doing the NAT maintains a table which is referenced for every matching packet that arrives or leaves.
In 1:1 NAT, the IP in the packet header (Layer-3) is simply rewritten from one address to the other whenever a packet matching both addresses in the NAT table leaves or arrives.
In 1:many NAT, the source port is randomized because you can run into collisions when multiple clients are connecting to the same server:port. So in that case the NAT table contains IP addresses as well as ports. When a return packet arrives, it checks the NAT table and rewrites both the L3 and L4 (port) info before passing it along.
Often times firewalls will randomize the source port when doing 1:1 NAT as a security measure, but after all these years I don't really remember why that's helpful. :-\
But that's really the extent of tracking connections with NAT.
Now when you're talking about firewalling, there's a lot more to track, such as connection start/stop/timeouts/lifetimes, total throughput, TCP state (handshakes, sequence numbers, etc.), closing open sessions when seeing things like TCP RSTs or FINs or ICMP unreachables. The amount of data and CPU is dramatically higher, and tailored to the software doing the firewalling. I believe in many cases simple L3/L4 rewrites can happen in hardware.
I haven't talked about any of this in several years so I hope I'm making sense.
Nonsense in how they approached things. Clinton-era we had govt. cut backs all over the place. It was done according to a plan and according to the law.
This was just a hatchet job, aimed and cutting and gutting any and every agency they thought they could get away with.
I'd expect folks would see the behavior you're describing here as being part of security.
However, NAT in the real world doesn't work the way you're describing here. My position is based on how NAT actually behaves, not on incorrect descriptions of how it behaves.
Or perhaps you could explain how NAT stops inbound connectivity at the NAT edge? I've tested and it doesn't, so I don't think it's possible to explain how it does, but I'm open to being wrong on that if anybody could actually explain it in a way that doesn't contract actual observed behavior.
Look I get where you're going with this. I do. All things being equal, a device that routes packets will route packets whether or not a NAT is in place. That's not the issue at hand.
The situation is simply that except in the rarest of cases, you're not going to be able to manipulate routing to achieve getting a packet with a RFC1918 (let's be real here, this is what we're talking about 99.9% of the time) destination address to go anywhere, much less to the target. Or more broadly, getting a packet addressed for a target behind a NAT to route TO a NAT gateway. Not to mention that if somehow it did get through, return packets are almost guaranteed to end up NAT'd, preventing traffic flow. So there's that.
On the Internet, even if your ISP didn't drop your packets outright, the routers wouldn't have the faintest idea how to route your packets to your victim.
Not Internet? Ok, let's say you're on a corporate network. You're a user and not a network admin.
Your company has a VPN to a partner company, and you're both using various subnets in 10/8. The partner has provided 192.168.1.0/24 of 1:1 NAT addresses so your two companies can share data, etc.
But there is no route in the IGP to the partner company's 10/8 network, only a block of 192.168.1.x addresses, none of which you are able to use. A magic fairy tells you that partner's payroll server has admin/admin credentials at 10.5.5.5. How are you going to get across the VPN to that address?
You won't, because you can't. Because there's no route, and in the case of a VPN, the interesting traffic probably doesn't include that IP even if you got a packet that far.
It's all simply a question of routing. Whether your traffic is being dropped by a firewall or dropped by a router, it's still being dropped.
FWIW I was a network engineer and architect at a massive enterprise for almost 15 years, and my team had management over all our Internet circuits, NAT, our WAN, etc. At the time I left we probably had >200k 1:1 NAT addresses; mostly across B2B links for management access of our devices on customer premises. It was an enormous PITA.
I get all of that... but it just sounds like you're arguing that either using RFC1918, or someone's inability to route to your router, is a firewall. Neither of these things are NAT! Nor will either of them protect you from all inbound connections, so neither of them count as firewalls either (although I'll grant that they limit the number of people that could make such a connection).
You can't trust an attacker to politely not send you packets that you think they can't send you. They can run `ip route add 10.5.5.5 dev vpn`/`via <next-hop>` just fine if they happen to be in the right place to do it, and your NAT won't help you.
The reason the packets are being dropped does matter. The issue at hand is all the people thinking that v6 is insecure because NAT is a security barrier; they're wrong, because it's not a security barrier, and if they continue to misattribute their security to it then they're going to keep reaching the wrong conclusions about v6.
> I get all of that... but it just sounds like you're arguing that either using RFC1918, or someone's inability to route to your router, is a firewall.
Yes and no. The effect is the same; packets are dropped. If you have no path to a target and no way to create one, it's a security barrier.
> Neither of these things are NAT!
You're right. They're a *result* of having a NAT boundary.
> They can run `ip route add 10.5.5.5 dev vpn`/`via <next-hop>` just fine if they happen to be in the right place to do it, and your NAT won't help you.
'If they happen to be in the right place to do it' is doing a LOT of heavy lifting here. You'd have to have root access on a compromised host, e.g., a linux system, immediately adjacent to the router/firewall/VPN doing NAT. And boy would that be a stupid design for an enterprise, and it would never happen at the Internet edge. So we're talking about the edgiest of edge case unicorns.
Even if you had all that go right, return packets are going to be addressed wrong (NAT) so you'd have to figure out how to deal with that.
Your stance seems to boil down to security being an active security measure - e.g. packet filter policy. My stance is that NAT and the reality of network design naturally results in preventing unwanted traffic flows, effectively producing the same result.
I'm not saying firewalls aren't critical, just that NAT does create a barrier, and v6 advocates always blare on that it doesn't.
company where i work has deployments across the world with few hundreds of thousands of hardware hosts (in datacenters), vms and containers + deployments in a few clouds. also a bunch of random hardware from multitude of vendors. multiple lines for linking datacenters and clouds. also some lines to more specific service providers that we are using.
all of it ipv4 based. ipv6 maybe in distant future somewhere on the edge in case our clients will demand in.
I find this completely fine. I don't see much (if any) upside in migrating a large existing network to anything new at all, as long as the currently deployed IPv4 is an adequate solution inside it (and it obviously is).
Public-interfacing parts can (and should) support IPv6, but I don't see much trouble exposing your public HTTP servers (and maybe mail servers) using IPv6, because most likely your hosting / cloud providers do 99.9% of it already, out of the box (unless it's AWS, haha), and the rare remaining cases, like, I don't know, a custom VPN gateway, are not such a big deal to handle.
I ran network team at an organization with hundreds of thousands hardware hosts in tens-of-megawatts large data centers, millions of VMs and containers, links between data centers, links to ISPs and IXes. We ran out of RFC1918 addresses at around 2011-2012 and went IPv6-only. IPv4 is delivered as a service to nodes requiring it via an overlay network. We intentionally simplified network design by doing so.
I should have been gentler and less arrogant, yes. Sincerely though, please explain how ipv6 is in anyway more difficult than a properly set up ipv4 enterprise. What tools are not available?
I left my job as a NE/architect over a 15 years ago, but the show stopper back then revolved around how to handle routing with firewalling. Firewalling being biggest roadblock due to needing traffic symmetry. I'm doing my best to remember why we stopped at just providing v6 at the edge for site-specific Internet hosted services and never pushed it further.
Mind you, our team discussed this numerous times over a few years and never came up with a solution that didn't look like it would require us to completely fork-lift what we were doing. The whole team was FOR getting us to v6, so there was no dogmatic opposition.
Consider this:
25k employee company. Four main datacenter hubs spread out across the USA with 200 remote offices evenly dual-homed into any two of the four.
All four of the DCs had multi-ISP Internet access advertising their separate v4 blocks and hosting Internet services. The default-route was redistributed into the IGP from only two locations, site A and B. e.g. two of the four DCs were egress for Internet traffic from the population of users and all non-internet-facing servers. IGP metrics were gently massaged as to fairly equally use of both sites.
All outbound traffic flowed naturally out of the eastern or western sites based on IGP metrics. This afforded us a tertiary failover for outbound traffic in the event that both of the Internet links into one of the two egress sites was down. e.g., if both of site A's links (say, level-3 and att) were down, the route through site A was lost, and all the egress traffic was then routed out site B (and vice-versa). This worked well with ipv4 because we used NAT to masquerade all the internal v4 space as site X's public egress block. Therefore all the return traffic was routed appropriately.
BGP advertisements were either as-path prepended or supernetted (don't remember which) such that if site A went down, site B, C, or D would get its traffic, and tunnel it via GRE to the appropriate DC hub's external segment.
The difficulty was that traffic absolutely had to flow symmetrically because of the firewalls in place, and easily could for v4 because NAT was happening at every edge.
With v6 it just didn't seem like there was any way to achieve the same routing architecture / flexibility, particularly with multi-homing into geographically disparate sites.
I'm not sure anymore where we landed, but I remember it being effectively insurmountable. I don't think it was difficult for Internet-hosted services, but the effort seemed absolutely not worth it for everything on the inside of the network.
It didn’t speed up adoption and people then tried most of the other solutions people are going to suggest for IPv4+. Want the IPv4 address as the network address instead? That’s 2002:a.b.c.d/48 - many ISPs didn’t deploy that either
Not to mention the return packet would be NAT'd so the attacker would have to deal with that complication.
reply