Re:Why?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Keith,

Then you may be interested in this effort:
draft-vives-v6ops-ipv6-security-ps-03.txt
draft-palet-v6ops-ipv6security-02.txt

Regards,
Jordi




> De: Keith Moore <moore@xxxxxxxxxx>
> Responder a: <ietf-bounces@xxxxxxxx>
> Fecha: Tue, 15 Mar 2005 10:51:13 -0500
> Para: Brian E Carpenter <brc@xxxxxxxxxxxxxx>
> CC: "ietf@xxxxxxxx" <ietf@xxxxxxxx>, Jonathan Rosenberg <jdrosen@xxxxxxxxx>
> Asunto: Re: Why?
> 
>>> Another concern I have is that, in an IPv6-only world, even if you
>>> eliminate NAT, there will still be firewalls, and those firewalls
>>> will frequently have the property that they block traffic coming from
>>> the outside to a particular IP/port on the inside unless an outbound
>>> packet has been generated from the inside from that IP/port. This
>>> means that IP addresses are not globally reachable. You'd still need
>>> most of the same solutions we have on the table today to deal with
>>> this problem. Indeed, in the VoIP space, I believe you'd need pretty
>>> much everything, excepting you'd be able to remove a single attribute
>>> from a few of the protocols (STUN and TURN in particular), which tell
>>> the endpoint its address on the other side of the NAT. The endpoint
>>> knows its address, but all of the protocol machinery is still needed
>>> to rendezvous with the other participant in the call.
>> 
>> I think this is why we chartered MIDCOM in the first place.
> 
> MIDCOM has always seemed like the wrong direction to me.  We don't need
> a way for apps to open up holes in firewalls, because that makes
> firewalls useless for dealing with rogue apps.  And while there is
> still some utility to be gained from perimeter defenses, the notion of
> firewalls as a primary defense against attack is anachronistic at best
> (and that's being kind).
> 
> What we need is an architecture for multilayered defense that allows
> centralized policy specification (which is merged with host policy) and
> which is application-aware.
> 
> 
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www1.ietf.org/mailman/listinfo/ietf




_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]