On Fri, 1 Jul 2005, Mohacsi Janos wrote: > On Fri, 1 Jul 2005, Christopher L. Morrow wrote: > > > > On Fri, 1 Jul 2005, Mohacsi Janos wrote: > >> > >> On Fri, 1 Jul 2005, Christopher L. Morrow wrote: > >> > >>> On Fri, 1 Jul 2005, Mohacsi Janos wrote: > >>>>> > >>>>> This keeps coming up in each discussion about v6, 'what security > >>>>> measures' > >>>>> is never really defined in any real sense. As near as I can tell it's > >>>>> level of 'security' is no better (and probably worse at the outset, for > >>>>> the implementations not the protocol itself) than v4. I could be wrong, > >>>>> but I'm just not seeing any 'inherent security' in v6, and selling it > >>>>> that > >>>>> way is just a bad plan. > >>>>> > >>>> > >>>> Just name a few: > >>>> - Possibility to end-to-end IPSec. > >>> > >>> exists in v4 > >> > >> Not exactly. Try to setup IPSec nodes behind NAT boxes. IPSec is speaking > >> about possibility of e2e security. > > > > this changes how in v6+nat? > > > > There is not need for NAT in IPv6. Use instead NAP (i.e. Network > Architecture Protection).
you are ignoring the reality... people WILL want v6 and nat :( it might be ugly and distasteful, but the fact remains that people will want and will require nat. > >>>> - Privacy enhanced addresses - not tracking usage based on addresses > >>> > >>> dhcp can do this for you (v4 has mechanisms for this) > >> > >> DHCP does not provide privacy, just address management. Can you > >> communicate on IPv4 the following way?: - different service - different > >> source IP address? > >> > > > > yes. look at bitchx, or ssh ... corner cases to be sure, but still > > feasible. (or simple example: vhosted webserver) As to dhcp, it can > > provide the address privacy you seek, just use very short leases. (yes, > > it's messy, but it'd work mostly) > > Are you speaking about the following? : > What I am talking to x service my source address is a1. x see me as a1. > In the same time when I am talking to y service my source address is a2. y > see me as a2. I am speaking of that yes. with the 2 applications I named above (bitchx and ssh) you can indeed appear to be 2 different ip address to 2 different services/destinations... > > Can I have more than 1 address with DHCP in the same time? > I believe you could do multiple dhcp addresses for multiple interfaces on one box. atleast with a modernish unix that seems quite feasible. > >> > >> Have you tried to find out in a IPv4 NAT environment where the virus/worm > >> flood is coming? - Most of the situation it is coming from the NAT box - > > > > actually that's kind of my daily job... it seems to work fine for me so > > far. > > Because you have all the tools and knowledge. But most of the > users/admins do not have these. perhaps... but tcpdump/snort/<pc-sniffer-of-choice> will make that problem easy for them as well. > > > > >> not because NAT box was infected, but because nodes behind NAT was > >> infected. Most of the cases admins of the networks behind NAT boxes not > >> knowledgeable enough where to look in this cases. So IPv6 can improve e2e > >> accountability that is part of the security. > >> > > > > because it removes the 'requirement' for NAT? or in some other magical > > way? If you look/listen to the users of NAT, a large proportion of them > > will continue to use NAT in v6 (or have stated they will)... I'm not sure > > your above arguement is as valid as you'd like it to be :( > > Probably they will use NAT for IPv4, because they don't have other option, > but they will use IPv6 with proper stateful firewall. Argument that NAT is > providing security is not valid.... > the arguement is that NAT is required because people want it, regardless of your engineering arguement about how ugly nat and v6 is/will-be :(
