Again Bill, the NAT process layer is not involved in dropping unwanted traffic until the packet is at least four/five levels deep. On ingress, a firewall will check if there is any flow/stream associated to it, ensure the packet follows the applicable protocol state machine, process it against the inbound interface rules, do any DPI rule processing, THEN NAT lookup, and egress routing + ACLs on the outbound ACL. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html
On a standard LAN -> WAN firewall configured with a single public IPv4 IP; your protection comes from the connect state/flow tables primarily. No one would be touching NAT configurations at the same rate as zone and policy configurations, unless it's for complex VPN setups. Using NAT as a defense in depth strategy against deploying v6 is only hurting yourself. I have yet to come across an enterprise that uses it between internal VLANs or policies/zones, where the same threat potential can be, especially in a DMZ. Ryan Hamel ________________________________ From: NANOG <nanog-bounces+ryan=rkhtech....@nanog.org> on behalf of William Herrin <b...@herrin.us> Sent: Friday, February 16, 2024 8:03 PM To: John R. Levine <jo...@iecc.com> Cc: nanog@nanog.org <nanog@nanog.org> Subject: Re: IPv6 uptake (was: The Reg does 240/4) Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. On Fri, Feb 16, 2024 at 7:41 PM John R. Levine <jo...@iecc.com> wrote: > > That it's possible to implement network security well without using > > NAT does not contradict the claim that NAT enhances network security. > > I think we're each overgeneralizing from our individual expeience. > > You can configure a V6 firewall to be default closed as easily as you can > configure a NAT. Hi John, We're probably not speaking the same language. You're talking about configuring the function of one layer in a security stack. I'm talking about adding or removing a layer in a security stack. Address overloaded NAT in conjunction with private internal addresses is an additional layer in a security stack. It has security-relevant properties that the other layers don't duplicate. Regardless of how you configure it. Also, you can't "configure" a layer to be default closed. That's a property of the security layer. It either is or it is not. You can configure a layer to be "default deny," which I assume is what you meant. The issue is that anything that can be configured can be accidentally unconfigured. When default-deny is accidentally unconfigured, the network becomes wide open. When NAT is accidentally unconfigured, the network stops functioning entirely. The gate is closed. Regards, Bill Herrin -- William Herrin b...@herrin.us https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbill.herrin.us%2F&data=05%7C02%7Cryan%40rkhtech.org%7C0de6c54d274c4b231dc608dc2f6dc319%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C638437395698409506%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=k19sefOjlCNOBGbiAmhzcFszrOEhf8SQQfs0MQThyaU%3D&reserved=0<https://bill.herrin.us/>
