Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt
2007-07-03 12:14:06
On Jul 2, 2007, at 11:06 AM, John C Klensin wrote:
Of course, almost none of the issues above are likely to go away,
or even get better, with IPv6... unless we make some improvements
elsewhere. And none of them make NAT a good idea, just a
"solution" that won't easily go away unless we have plausible
alternatives for _all_ of its purported advantages, not just the
address space one.
The initial use of IPv6 in North America will likely involve Teredo
enabled NATs and Teredo servers. It does not seem NATs will go away
anytime soon, especially those adding Teredo compliance to ensure
multi-player games function without router configuration.
Unfortunately many exploits now bypass protections once afforded by
NATs or peripheral firewalls. Browsers are always in transition and
can be exploited with their many hooks into OS services and
applications. It seems security is sacrificed to enable some new
proprietary interface. This is an area where standardization has
seemly failed.
Browser exploits have become so pervasive as to require our company
to extensively retool behavior evaluations. For example, SMTP
reputations are being converted to a progressive scale to adjust for
the growing prevalence of 0wned systems. It seems much of the
malware activity is just harder to detect.
It gets worse. NATs are not a complete solution, and represent a new
challenge. PNRP clouds combined with new complex routing paths
represents a risk that will be even harder to evaluate and to enforce
policies in a scaleable fashion.
In the early days of the Internet, the level of commerce and related
crime was far lower than it is today. People are now filing their
Federal taxes on-line. What the Internet is being used for has
changed significantly. When defending against criminal exploits,
there is less doubt about risks. The hazards are very apparent,
although they might be harder to detect.
The security section for the "next great idea" should carefully
review and strategize how the world is to handle resulting abuse.
That section is unfortunately significantly growing in importance
every day. What seemed like a good idea, can easily become a nightmare.
-Doug
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, (continued)
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jun-ichiro itojun Hagino
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Douglas Otis
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Mark Andrews
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jun-ichiro itojun Hagino
- Message not available
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, SM
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
- Message not available
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, SM
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jeffrey Hutzelman
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, John C Klensin
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt,
Douglas Otis <=
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Christian Huitema
- RE: Domain Centric Administration, Hallam-Baker, Phillip
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Keith Moore
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Keith Moore
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
Re: IPv6 transition technologies, Brian E Carpenter
|
|
|