Phillip Hallam-Baker wrote:
Nevertheless, it wouldn't be a surprise to me that stateful v6 firewalls
take NAT's place, such that "only return traffic is allowed".
That is one security use made of NAT, but reducing the amount of
information leaked about the internal configuration of the network is
I don't have to make my network 100% secure to be secure, all I need
to do to reduce my number of attacks is to make my network a bit
harder and a bit more expensive to attack than your network.
Agreed. I just meant that even without v6 NATs, it shouldn't come as a
surprise if end-to-end connectivity is *not* restored by IPv6.
and an expectation of end-to-end reachability seem quite
fundamentally different from IPv4 as it is deployed to day.
As ironic as it may sound, some people are actually *concerned* about
this. (no, not *me*)
It is hardly ironic. Pretty much all functionality can be employed by
the bad guys as well as the good ones. So increasing the benefit to
the good guys will inevitably increase the functionality for the bad
Please let me re-phrase "It's ironic that what's supposed to be one of
the motivations for IPv6 is something that actually concerns many
people". (i.e., some see this as a "selling point", but for quite a few
of those that are expected to be "buyers" this is actually a concern).
-- Me, I wouldn't have my own systems reachable end-to-end unless
there's good reason for doing that.
Looking at this thread,we have two ex-chairs who are not security
specialists attacking a security specialist as 'ill-informed' when in
fact they are merely repeating an ideological view of security that
has negligible support outside the IETF. That is a really bad way to
There is more to security than throwing cryptography at packets.
Agreed. The work that we have done at CPNI on TCP & IP is probably along
those lines (i.e., more than throwing crypto) -- see
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar || fgont(_at_)acm(_dot_)org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Ietf mailing list