EricLKlein wrote: > This is not the first time that I have heard that someone was willing to > skip IPv6 because of the percieved pain and security threat that > standards compliance would entail. But then again these are all people > that take security and network administration very personal and very > seriously, and the idea of having the accounts recievable (or worse > payable) computer with a globaly reachable address scares them to heck. > > To be honest I stated these concerns back in the spring, and I still > haven't seen anything that would work to convince me that this is not > what we as a WG are proposing. If someone converts their existing network > to a globaly unique address range then what is responsible for filtering > all of the critical addresses from sending or recieving packets from the > network over the network Interent router? I see this as being moved from > the protocol level to that of the network technician, who now needs to > explicitly deny individual addresses (or ranges) rather and explicityl > allow the permited ranges.
The problem with these people's arguments is that it's not the address range that gives the security, it's the fact that you have an isolated network connected to the global network via only a proxy (NAT) and firewall. You can use any address range you like inside the NAT. However, if you don't use a 'private' range you're running two risks: - masking a portion of the global internet - leaking addresses that look real but are actually invalid rather than obviously invalid ones. The advantage of a local/private address range is that you can create one for whatever local use you need without needing to obtain space through a registration authority. The advantage of 'approximately unique' local addresses (in the style of the Hinden/Haberman draft) is that you get addresses with all the benefits of private address AND they're not likely to conflict if you merge. Any 'security advantage' of local/private addresses is just that if they leak they are LIKELY (no guarantee) to not work 'properly'. *As I understand it*, the TRANSLATION function of the NAT doesn't gain you any real security benefits, except for scrambling your traffic (whether this is a benefit is up for debate). However, the many->one nature of most deployed NATs acts as a stateful firewall. You get almost all the security benefits (without the scrambling) by putting a stateful firewall in place with a very simple rule - if I didn't send something out, don't let anything back. If you really want isolation, add a proxy of your choice. And if your firewall isn't passing traffic, it doesn't matter what address range is on the inside. -- Andrew White -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
