<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3429" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=669571519-13112008>Eric, Philip,</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=669571519-13112008></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=669571519-13112008>Comments below inline with DL></SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=669571519-13112008></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=669571519-13112008>Thanks.</SPAN></FONT></DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> behave-bounces@ietf.org
[mailto:behave-bounces@ietf.org] <B>On Behalf Of </B>Eric
Klein<BR><B>Sent:</B> Thursday, November 13, 2008 11:07 AM<BR></FONT></DIV>
<DIV dir=ltr>
<DIV class=gmail_quote>
<DIV> </DIV>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV dir=ltr><SPAN id=""></SPAN></DIV>
<DIV dir=ltr>NAT66 is in fact a security requirement in many applications
and in others it is a compliance requirement. Stampy feet protests that the
idea is profane don't change those facts.</DIV>
<DIV dir=ltr> </DIV></DIV></BLOCKQUOTE>
<DIV>NAT is not and never was a security feature, it was a way to use fewer
numbers because they were hard to get. Please stop the falacy that NAT in any
way is related to security, otherwise we would not need firewalls.</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=669571519-13112008>DL> Port/Overload NAT for IPv4 (NAT:P) has
security benefits in that it requires explicit configuration to allow for
inbound unsolicited transport connections (via port forwarding) to 'inside'
hosts. This mimics many of the default policies on most firewalls, hence
the confusion. Note that can also cause security issues elsewhere
in the network. The loss of information of the identity of the source
host can cause address filtering in the network to effect other
devices than just the one intended.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=669571519-13112008></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=669571519-13112008>DL> I'm wondering if this is written down
somewhere, because both of the above points seem to be argued over and over
again, without people being genererally educated about
them.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=669571519-13112008></SPAN></FONT><FONT face=Arial color=#0000ff
size=2></FONT> </DIV>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV dir=ltr><SPAN id=""></SPAN></DIV>
<DIV dir=ltr>I know that there are some people in the security area who
claim otherwise but they have been wrong on many issues in the past and they
are likely wrong on this one. Let us consider for a minute the list of real
world security measures that the IETF has successfully deployed, well there
is DKIM (sort of) and there is the post-facto cleanup of SSL after it was
successful and the post facto cleanup of X.509 after that was successful.
IPSEC is used as a VPN solution despite being unsuited for the role as
originally designed. </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>On the negative side the same consensus that opposes NAT66 has
in the past opposed firewalls, the single most widely used network security
control. It has also promoted the idea of algorithm proliferation and
negotiation as a good thing (these days we consider it bad). It has promoted
the idea that the most important feature in a security protocol is that it
be absolutely secure against theoretical attacks rather than easy enough to
deploy and use that people actually use it.</DIV></DIV></BLOCKQUOTE>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>This is not quite true, the ones who have been argueing against it have
constantly asked why we need it. But we still do not know why we need NAT, no
one has done the gap analysis.<SPAN class=669571519-13112008><FONT face=Arial
color=#0000ff size=2> </FONT></SPAN></DIV>
<DIV><SPAN class=669571519-13112008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=669571519-13112008><FONT face=Arial color=#0000ff
size=2>DL> I would argue that stateless filtering (e.g. access control
lists) are even more common than firewalls and are the single most widely used
network security control. But the main point is that firewalls (
statefull (flow based) filtering that usually have default policies), are
orthogonal to address translation. They just happen to occur at the same
point in the topology in many networks.</FONT></SPAN></DIV>
<DIV><SPAN class=669571519-13112008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=669571519-13112008><FONT face=Arial color=#0000ff
size=2>DL> But I think Eric you have a good point about
documenting the relationship between a privately addressed IPv4 site and a
publicly addresses IPv6 site. We should publicly document the
differences, it would likely make or break the case for
NAT66.</FONT></SPAN></DIV>
<DIV><SPAN class=669571519-13112008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=669571519-13112008><FONT face=Arial color=#0000ff
size=2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=669571519-13112008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=669571519-13112008><FONT face=Arial color=#0000ff
size=2>-Darrel</FONT></SPAN></DIV></DIV></DIV></BLOCKQUOTE></BODY></HTML>