On 8-jul-2005, at 19:34, Fred Baker wrote:
A NAT, in that context, is a stateful firewall that changes the
addresses, which means that the end station cannot use IPSEC to
ensure that it is still talking with the same system on the
outside. It is able to use TLS, SSH, etc as transport layer
solutions, but those are subject to attacks on TCP such as RST
attacks, data insertion, acknowledge hacking, and so on, and SSH
also has a windowing problem (on top of TCP's window, SSH has its
own window, and in large delay*bandwidth product situations SSH's
window is a performance limit). In other words, a NAT is a man-in-
the-middle attack, or is a device that forces the end user to
expose himself to man-in-the-middle attacks.
:-)
A true stateful firewall that allows IPSEC end to end doesn't
expose the user to those attacks.
I of course couldn't resist, so:
!
ipv6 access-list out-ipv6-acl
permit ipv6 any any reflect state-acl
!
ipv6 access-list in-ipv6-acl
evaluate state-acl
deny ipv6 any any log
!
(don't try this at home, kids: that deny any is dangerous because it
blocks neighbor discovery)
Unfortunately, IPsec (ESP transport mode) isn't allowed back in:
%IPV6-6-ACCESSLOGNP: list in-ipv6-acl/20 denied 50 2001:1AF8:2:5::2 -
> 2001:1AF8:6:0:20A:95FF:FEF5:246E, 29 packets
On second thought: how could it? The SPIs for outgoing and incoming
packets are different. I suppose it would be possible for the
stateful filter to snoop the ISAKMP protocol and install filter rules
based on the information found there, but that's obviously not what
happens.
