Hi Keith, Then you may be interested in this effort: draft-vives-v6ops-ipv6-security-ps-03.txt draft-palet-v6ops-ipv6security-02.txt Regards, Jordi > De: Keith Moore <moore@xxxxxxxxxx> > Responder a: <ietf-bounces@xxxxxxxx> > Fecha: Tue, 15 Mar 2005 10:51:13 -0500 > Para: Brian E Carpenter <brc@xxxxxxxxxxxxxx> > CC: "ietf@xxxxxxxx" <ietf@xxxxxxxx>, Jonathan Rosenberg <jdrosen@xxxxxxxxx> > Asunto: Re: Why? > >>> Another concern I have is that, in an IPv6-only world, even if you >>> eliminate NAT, there will still be firewalls, and those firewalls >>> will frequently have the property that they block traffic coming from >>> the outside to a particular IP/port on the inside unless an outbound >>> packet has been generated from the inside from that IP/port. This >>> means that IP addresses are not globally reachable. You'd still need >>> most of the same solutions we have on the table today to deal with >>> this problem. Indeed, in the VoIP space, I believe you'd need pretty >>> much everything, excepting you'd be able to remove a single attribute >>> from a few of the protocols (STUN and TURN in particular), which tell >>> the endpoint its address on the other side of the NAT. The endpoint >>> knows its address, but all of the protocol machinery is still needed >>> to rendezvous with the other participant in the call. >> >> I think this is why we chartered MIDCOM in the first place. > > MIDCOM has always seemed like the wrong direction to me. We don't need > a way for apps to open up holes in firewalls, because that makes > firewalls useless for dealing with rogue apps. And while there is > still some utility to be gained from perimeter defenses, the notion of > firewalls as a primary defense against attack is anachronistic at best > (and that's being kind). > > What we need is an architecture for multilayered defense that allows > centralized policy specification (which is merged with host policy) and > which is application-aware. > > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www1.ietf.org/mailman/listinfo/ietf _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf