|
RE: Domain Centric Administration
2007-07-03 12:55:56
Doug,
You are entirely right about the internet crime issues. In my book (to be
published in the Fall, Addison Wesley) I mention default deny and domain
centric of course but they are not what I would regard as my first line of
defense.
The problem we always get to with Internet crime is the 'The problem is X/ no
its Y/ no its Z' debate. The problem is X, Y and Z and A through W as well. The
idea of the book is to set out a straw man for a comprehensive solution so that
instead of having that debate people can instead say 'your solution to X sucks,
here is a better one', and I can reply 'thanks, now I can write the second
edition'.
The point here is that I want to help people deploy IPv6 even though it is not
the very top of my list of priorities and I am not a network routing person
(not done work on that layer since my undergraduate thesis and proofs of
deadlock freedom for routing protocols).
What I have learned from deploying security is that even though people say that
security is their #1 concern, they lie. Their #1 concern is always going to be
something else. But security will always top every poll of top 5 priorities
because it is everyone's #2 or #3 issue.
We are dealling with very fine tipping points here. 95% right means zero
deployment, get it to 96% and suddenly it takes over the world in 18 months.
The gap between the Web and gopher or HyperG is very very small. HyperG was in
many ways technically superior, certainly the application software was better
right up to 1995/6 or so.
-----Original Message-----
From: Douglas Otis [mailto:dotis(_at_)mail-abuse(_dot_)org]
Sent: Tuesday, July 03, 2007 3:13 PM
To: John C Klensin
Cc: ietf(_at_)ietf(_dot_)org; Jeffrey Hutzelman
Subject: Re: Domain Centric Administration,RE:
draft-ietf-v6ops-natpt-to-historic-00.txt
On Jul 2, 2007, at 11:06 AM, John C Klensin wrote:
Of course, almost none of the issues above are likely to go
away, or
even get better, with IPv6... unless we make some improvements
elsewhere. And none of them make NAT a good idea, just a
"solution" that won't easily go away unless we have plausible
alternatives for _all_ of its purported advantages, not just the
address space one.
The initial use of IPv6 in North America will likely involve
Teredo enabled NATs and Teredo servers. It does not seem
NATs will go away anytime soon, especially those adding
Teredo compliance to ensure multi-player games function
without router configuration.
Unfortunately many exploits now bypass protections once
afforded by NATs or peripheral firewalls. Browsers are
always in transition and can be exploited with their many
hooks into OS services and applications. It seems security
is sacrificed to enable some new proprietary interface. This
is an area where standardization has seemly failed.
Browser exploits have become so pervasive as to require our
company to extensively retool behavior evaluations. For
example, SMTP reputations are being converted to a
progressive scale to adjust for the growing prevalence of
0wned systems. It seems much of the malware activity is just
harder to detect.
It gets worse. NATs are not a complete solution, and
represent a new challenge. PNRP clouds combined with new
complex routing paths represents a risk that will be even
harder to evaluate and to enforce policies in a scaleable fashion.
In the early days of the Internet, the level of commerce and
related crime was far lower than it is today. People are now
filing their Federal taxes on-line. What the Internet is
being used for has changed significantly. When defending
against criminal exploits, there is less doubt about risks.
The hazards are very apparent, although they might be harder
to detect.
The security section for the "next great idea" should carefully
review and strategize how the world is to handle resulting abuse.
That section is unfortunately significantly growing in
importance every day. What seemed like a good idea, can
easily become a nightmare.
-Doug
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, (continued)
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Mark Andrews
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jun-ichiro itojun Hagino
- Message not available
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, SM
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
- Message not available
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, SM
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jeffrey Hutzelman
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, John C Klensin
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Douglas Otis
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Christian Huitema
- RE: Domain Centric Administration,
Hallam-Baker, Phillip <=
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Keith Moore
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Keith Moore
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
Re: IPv6 transition technologies, Brian E Carpenter
|
|
|