Re: Is this true?

Phillip Hallam-Baker wrote:

Nevertheless, it wouldn't be a surprise to me that stateful v6 firewalls
take NAT's place, such that "only return traffic is allowed".


That is one security use made of NAT, but reducing the amount of
information leaked about the internal configuration of the network is
another.

I don't have to make my network 100% secure to be secure, all I need
to do to reduce my number of attacks is to make my network a bit
harder and a bit more expensive to attack than your network.


Agreed. I just meant that even without v6 NATs, it shouldn't come as a
surprise if end-to-end connectivity is *not* restored by IPv6.

and an expectation of end-to-end reachability seem quite
fundamentally different from IPv4 as it is deployed to day.

As ironic as it may sound, some people are actually *concerned* about
this. (no, not *me*)


It is hardly ironic. Pretty much all functionality can be employed by
the bad guys as well as the good ones. So increasing the benefit to
the good guys will inevitably increase the functionality for the bad
ones.


Please let me re-phrase "It's ironic that what's supposed to be one of
the motivations for IPv6 is something that actually concerns many
people". (i.e., some see this as a "selling point", but for quite a few
of those that are expected to be "buyers" this is actually a concern).

-- Me, I wouldn't have my own systems reachable end-to-end unless
there's good reason for doing that.

Looking at this thread,we have two ex-chairs who are not security
specialists attacking a security specialist as 'ill-informed' when in
fact they are merely repeating an ideological view of security that
has negligible support outside the IETF. That is a really bad way to
approach security.

There is more to security than throwing cryptography at packets.


Agreed. The work that we have done at CPNI on TCP & IP is probably along
those lines (i.e., more than throwing crypto) -- see
http://www.gont.com.ar/papers

Thanks!

Kind regards,
-- 
Fernando Gont
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar || fgont(_at_)acm(_dot_)org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread]	Current Thread	[Next in Thread>
Is this true?, jean-michel bernier de portzamparc Re: Is this true?, Brian E Carpenter Re: Is this true?, Dave CROCKER Re: Is this true?, Brian E Carpenter Re: Is this true?, Dave CROCKER Re: Is this true?, Brian E Carpenter Re: Is this true?, Doug Barton Re: Is this true?, Florian Weimer Re: Is this true?, Fernando Gont Re: Is this true?, Phillip Hallam-Baker Re: Is this true?, Fernando Gont <= Re: Is this true?, Paul Ferguson Re: Is this true?, Phillip Hallam-Baker Re: Is this true?, Phillip Hallam-Baker Re: Is this true?, Arnt Gulbrandsen Re: Is this true?, Dave Cridland Re: Is this true?, Phillip Hallam-Baker Re: Is this true?, Noel Chiappa Re: Is this true?, Noel Chiappa Re: Is this true?, Noel Chiappa Re: Is this true?, Phillip Hallam-Baker