ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IPv6 NAT?

2008-02-15 09:18:47
from [Hallam-Baker, Phillip] [Permanent Link] 
You know of an O/S that is not vulnerable to malware attacks? Please let me 
know the name, I haven't encountered one professionally since I was using 
OpenGenera in '95 and that was only secure because we had a more or less 
complete list with the names of every person who had ever successfully managed 
to learn the beast.
 
 
There is a way we could change security audit requirements, but it would 
involve rather more flexibility in approach than the IETF has been willing to 
accept. We would have to talk to the auditors and provide them with alternative 
means of achieving the ends that they consider important, not try to argue with 
the importance of those ends.

________________________________

From: ietf-bounces(_at_)ietf(_dot_)org on behalf of Spencer Dawkins
Sent: Fri 15/02/2008 10:55 AM
To: Iljitsch van Beijnum; michael(_dot_)dillon(_at_)bt(_dot_)com
Cc: ietf(_at_)ietf(_dot_)org
Subject: Re: IPv6 NAT?



Well, accepting incoming IPv6 connections(!) through NATs would turn the
incoming-connection question from a technical issue into a
firewall-policy-only issue...

I'm with Dan that I don't see NATs disappearing in IPv6 - I remember in the
early days of the NAT working group (back when we thought our opinion about
NATs mattered) that someone got up and said their company had been audited,
and the auditors asked where the NATs were - apparently, this was (at that
time, at least) on audit checklists, and you got dinged if you weren't using
NATs, even if you were using firewalls (and even if you were using host OSes
that didn't roll over every time there was a virus outbreak, but I digress).

I'd love for that to change, but whether people agree about desirability or
not, we can all agree that it would be a change, I think.

Spencer

From: "Iljitsch van Beijnum" <iljitsch(_at_)muada(_dot_)com>



On 15 feb 2008, at 16:09, <michael(_dot_)dillon(_at_)bt(_dot_)com> wrote:


Vendors need to agree on the timeout for mappings and on the
method for substituting prefixes. Even if ignoring port translation
seems obvious, a vendor who is adapting/upgrading old code might
include this in the absence of a standard.


With 1-to-1 address translation without the port overloading the
mappings can be static so there is no need for timeouts. And incoming
connections can be translated just as easily as outgoing connections.

One wonders whether the pro-NAT crowd would actually like something as
open as that. Then again, emulating IPv4 NAT behavior just because
it's the devil we know even though it would require a significant
effort to create IPv6 versions of ALGs and then it would still get in
the way of legitimate applications a whole lot isn't all that
attractive, either.



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Do you want the protocol DEPLOYED or not? Re: I-DAction:draft-rosenberg-internet-waist-hourglass-00.txt], Hallam-Baker, Phillip
Next by Date:  RE: IPv6 NAT?, Christian Huitema
Previous by Thread:  Re: IPv6 NAT?, Spencer Dawkins
Next by Thread:  RE: IPv6 NAT?, Christian Huitema
Indexes:  [Date] [Thread] [Top] [All Lists]