On Sat, Aug 28, 2010 at 11:51 PM, Fernando Gont
<fernando(_at_)gont(_dot_)com(_dot_)ar> wrote:
Florian Weimer wrote:
Lack of NAT
I am told that NAT for v6 is (ironically) among the most "asked for"
IPv6 features...
Nevertheless, it wouldn't be a surprise to me that stateful v6 firewalls
take NAT's place, such that "only return traffic is allowed".
That is one security use made of NAT, but reducing the amount of
information leaked about the internal configuration of the network is
another.
I don't have to make my network 100% secure to be secure, all I need
to do to reduce my number of attacks is to make my network a bit
harder and a bit more expensive to attack than your network.
and an expectation of end-to-end reachability seem quite
fundamentally different from IPv4 as it is deployed to day.
As ironic as it may sound, some people are actually *concerned* about
this. (no, not *me*)
It is hardly ironic. Pretty much all functionality can be employed by
the bad guys as well as the good ones. So increasing the benefit to
the good guys will inevitably increase the functionality for the bad
ones.
That is why security conscious people think twice before adding
functionality that they do not intend to use. And very security
conscious people run default-deny networks where 'nothing should
happen without a reason (SM)'.
Looking at this thread,we have two ex-chairs who are not security
specialists attacking a security specialist as 'ill-informed' when in
fact they are merely repeating an ideological view of security that
has negligible support outside the IETF. That is a really bad way to
approach security.
There is more to security than throwing cryptography at packets.
--
Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf