Re:Why?

Hi Keith,

Then you may be interested in this effort:
draft-vives-v6ops-ipv6-security-ps-03.txt
draft-palet-v6ops-ipv6security-02.txt

Regards,
Jordi

De: Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu>
Responder a: <ietf-bounces(_at_)ietf(_dot_)org>
Fecha: Tue, 15 Mar 2005 10:51:13 -0500
Para: Brian E Carpenter <brc(_at_)zurich(_dot_)ibm(_dot_)com>
CC: "ietf(_at_)ietf(_dot_)org" <ietf(_at_)ietf(_dot_)org>, Jonathan Rosenberg 
<jdrosen(_at_)cisco(_dot_)com>
Asunto: Re: Why?

Another concern I have is that, in an IPv6-only world, even if you
eliminate NAT, there will still be firewalls, and those firewalls
will frequently have the property that they block traffic coming from
the outside to a particular IP/port on the inside unless an outbound
packet has been generated from the inside from that IP/port. This
means that IP addresses are not globally reachable. You'd still need
most of the same solutions we have on the table today to deal with
this problem. Indeed, in the VoIP space, I believe you'd need pretty
much everything, excepting you'd be able to remove a single attribute
from a few of the protocols (STUN and TURN in particular), which tell
the endpoint its address on the other side of the NAT. The endpoint
knows its address, but all of the protocol machinery is still needed
to rendezvous with the other participant in the call.


I think this is why we chartered MIDCOM in the first place.


MIDCOM has always seemed like the wrong direction to me.  We don't need
a way for apps to open up holes in firewalls, because that makes
firewalls useless for dealing with rogue apps.  And while there is
still some utility to be gained from perimeter defenses, the notion of
firewalls as a primary defense against attack is anachronistic at best
(and that's being kind).

What we need is an architecture for multilayered defense that allows
centralized policy specification (which is merged with host policy) and
which is application-aware.


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf





_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread]	Current Thread	[Next in Thread>
Re:Why?, (continued) Re:Why?, Edward Lewis Re:Why?, JORDI PALET MARTINEZ Re: FW: Why?, JFC (Jefsey) Morfin Re: FW: Why?, Tim Chown RE: FW: Why?, Tony Hain Re: FW: Why?, Jonathan Rosenberg Re:Why?, JORDI PALET MARTINEZ RE: FW: Why?, Tony Hain Re: FW: Why?, Brian E Carpenter Re: Why?, Keith Moore Re:Why?, JORDI PALET MARTINEZ <= Re: Why?, Melinda Shore Re: Why?, Keith Moore Re: FW: Why?, Melinda Shore Re: Why?, Keith Moore Re: FW: Why?, Joe Touch Re: FW: Why?, Joe Touch Re: FW: Why?, Noel Chiappa Re:Why?, JORDI PALET MARTINEZ Re: FW: Why?, Kevin Loch Metcalfe's Law challenged, Steve Crocker