> > > IPv6 needs to be justified on the number of nodes that truly need a > > > globally accessible public address, not by insisting on counting devices > > > that should remain anonymous or under limited (and controlled) visibility. > > > > you appear to be confusing visibility with accessibility. > > > > No, that is exactly what I am not confusing. > > If a node only requires accessibility by a few specialized nodes (such > as a water meter) then making it *visible* to more is just creating > a security hole that has to be plugged.
that's simply false. security and visibility are largely orthogonal. the fact that a resource is visible to the network simply means that it is potentially accessible, with appropriate credentials, by another party on the network. the common mistake is assuming that accessibility should have something to do with network topology, or more precisely, with source IP address. this works only for a limited subset of applications and user communities. while it might be reasonable to trust such mechanisms for limited-purpose networks, it's simply naive to insist that such mechanisms are generally applicable. > Yes, the hole can be plugged easily. again, that's simply false. in general, if an application or an end-system has a security hole that allows access by unauthorized parties, you can't plug that hole by external means. you may be able to work around the problem using a firewall by exploiting network access patterns - for instance, if you know in advance that the only legitimate users of a resource are located within a particular subnet and you can ensure that the only traffic with that subnet's source address actually originated from within that subnet. but this is an exception, not a general rule. to insist that application security realms should be constrained to reflect network topologies is either to severely limit that kinds of applications that can be run or to make your network much more expensive than it needs to be. and this strategy doesn't hold up in a world in which the devices you use access those resources may be attached to the network via any of a variety of provider networks - and may also need to be able to access resources on multiple networks. folks aren't going to carry separate PDAs to access the office email, the baby cam at the day care center, and the home security system. they're going to carry a single PDA and expect it to authenticate to each, independently of their current location. > I am merely pointing out that the opportunity to add more rules to > an IPv6 firewall to plug a security hole that IPv6 created is *not* > an argument for IPv6. IPv6 doesn't create any new security holes. to the extent that holes exist in applications (and of course they do) that are worked around by firewalls, it becomes necessary to apply the same filters for IPv6 that exist for IPv4. but the holes existed already. > Further, NAT boxes are very friendly to meter-type devices. false. many such devices need to be accessible from outside the NAT. furthermore, meter-type devices are only one kind of application that would benefit from global addressibility. > They can receive their IPv4 address via DHCP (eliminating the need > to administer addresses) DHCP is orthogonal to NAT. You can have DHCP (for better or worse) without NAT. > and then they can contact the collection server. The upper-layer > protocols will identify the meter, which they would have done for > authentication reasons anyway. true, but it's irrelevant to your argument - unless you were somehow presuming that the address would have been used for authentication. > There are also a large number of solutions using L2 tunneling. not if you want them to work in arbitrary remote environments. > My point remains, a globally meaningful address is something that > should only be applied when it is useful for that endpoint to > be globally addressable. you haven't said anything to support such an outrageous assertion. Keith p.s. of course there are some vulnerabilities that are introduced whenever you make a network accessible - these include the ability to exploit security holes on hosts, the ability to scan for potential targets, and the ability to attack the network itself. but to the extent that you can use firewalls to thwart such attacks, you can do so without NAT. about the only thing that NAT does for you is to hide an "inside" client host's source address as seen from the outside. so you could say it provides a measure of privacy. but it does this in a very inflexible way - it constrains all applications (regardless of their needs) on all hosts behind the NAT. and once you install a NAT, it's very difficult to fix the problems that the NATs caused.
