From: Brian E Carpenter [mailto:brc(_at_)zurich(_dot_)ibm(_dot_)com]
This is of course one of the major motivations for
draft-ietf-v6ops-nap-06.txt, which is now in the RFC Editor's
queue. While it doesn't tell SOHO gateway vendors exactly
what to do, it does I think make it clear that there is a
secure mass market IPv6 way forward that has no need for NAT.
This is exactly the type of implict statement that I was concerned about.
I am a practical person. I have two major goals and one secondary goals in the
area of network protocols. My primary goal is to change the Internet
infrastructure to make it a less favorable enviroment for Internet crime. My
other principle goal is to make networks more robust and easier to use. The
amount of network administration knowledge required today is absolutely
ridiculous. I want to end my role in the 'friends and family' network
administration plan.
The impending IPv4 address crunch is a secondary issue for me personally. It is
an issue I want to see solved. It is not an issue I can take the lead on
addressing personally.
Finding the right technology is one part of the problem. I have come to view it
as the easy part. The much harder part is to persuade people to change what
they are doing here.
There are necessary and unnecessary battles here. The IETF at large has for
many years fought a running battle attempting to educate security practitioners
so that they understand that the concept of firewalls and perimeter security is
entirely worthless and in fact harmful.
Regardless of whether or not this is true the fact is that Cisco, Checkpoint,
3Com, Microsoft, Sun and every other vendor that is prominent in either the
security world or for that matter the IETF sells security products that are
based on this basic principle.
The perimeter security model is of course visibly starting to reach a limit.
But the solution that the market is looking at is not a return to the purity of
the end to end security model but the precise opposite with ubiquitous policy
enforcement throughout the network. This is a species of defense in depth.
Whether or not it would be possible for the world to adopt a network
architecture that does not employ NAT in IPv6 is at best merely an interesting
academic question.
If you have been following the debate on Deperimeterization you will know that
the Jericho forum was founded with the explicit intention of causing the
vendors to start producing interoperable networking infrastructure to support a
defense in depth strategy where ubiquitous policy enforcement plays a key part.
The limitiations set by NAT in such a network are irrelevant. No host is able
to offer any form of service in such a network whether internal or external
without explicit authorization to do so. The packets are simply not routed on
the internal network. The governing principle becomes Default-Deny. The fixup
required to make NAT work is neither complex nor onerous.
There is an important and critical difference between a network and an
inter-network. The security solutions which are appropriate in each case bear
very little relation to each other.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf