On Sun, Aug 26, 2018 at 11:38:57AM -0700, Joe Touch wrote:
> NATs already have what they need to do the proper job - they need to
> reassemble and defragment using unique IDs (or cache the first fragment when
> it arrives and use it as context for later - or earlier cached - fragments).
> There???s no rule that IP packets that are fragmented MUST have a transport
> header both visible (not encrypted) and immediately following the IP header.
Reassmbly/refragment and MTU discovery puts NAT out of the realm of many
cost effective HW acceleration methods. Simple address rewrite does not.
> Firewalls are just delusions; [1]
> the context they think they???re enforcing has no meaning except at the
> endpoints; it never did. [2]
I completely agree with [2], but my conclusion is not [1], but
rathat its highly valuable and necessary.
The ability of firewalls to open 5-tuple bidirectional pinholes because
of trigger traffic from the inside is IMHO the most important feature
to keep Internet hosts protected. I wish host stacks would be built securely,
but after a few decdaces i have given up on that for most hosts. Which is
why its so irritating when host stack pundits continue telling network device
stack builders what they should and should not do.
Firewalls inspecting unencrypted higher layer message elements where a fairly
well working security model based on having a separate security administration
from the application administration. Now the applications promise to
provide all the security themselves, but they primarily just prohibit visibility
of what they do, so its a lot harder to figure out when they are insecure.
Would you ever put all type of in-home "iot" gear thats not a Windows/MacOS
system with a GUI you can control on the Internet without a firewall ?
Cheers
Toerless
> Using part of the IPv6 space for this solution would then break per-address
> network management (different UDP ports would use different IPv6 addresses,
> presumably).
>
> The ???disease" is that NATs don???t reassemble (or emulate it). It???s not
> useful to try to address the symptoms of that disease individually.
>
> Joe
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
