On Sat, Aug 28, 2010 at 11:51 PM, Fernando Gont
Florian Weimer wrote:
Lack of NAT
I am told that NAT for v6 is (ironically) among the most "asked for"
Nevertheless, it wouldn't be a surprise to me that stateful v6 firewalls
take NAT's place, such that "only return traffic is allowed".
That is one security use made of NAT, but reducing the amount of
information leaked about the internal configuration of the network is
I don't have to make my network 100% secure to be secure, all I need
to do to reduce my number of attacks is to make my network a bit
harder and a bit more expensive to attack than your network.
and an expectation of end-to-end reachability seem quite
fundamentally different from IPv4 as it is deployed to day.
As ironic as it may sound, some people are actually *concerned* about
this. (no, not *me*)
It is hardly ironic. Pretty much all functionality can be employed by
the bad guys as well as the good ones. So increasing the benefit to
the good guys will inevitably increase the functionality for the bad
That is why security conscious people think twice before adding
functionality that they do not intend to use. And very security
conscious people run default-deny networks where 'nothing should
happen without a reason (SM)'.
Looking at this thread,we have two ex-chairs who are not security
specialists attacking a security specialist as 'ill-informed' when in
fact they are merely repeating an ideological view of security that
has negligible support outside the IETF. That is a really bad way to
There is more to security than throwing cryptography at packets.
Ietf mailing list