> From: Brian E Carpenter [mailto:brc@xxxxxxxxxxxxxx] > This is of course one of the major motivations for > draft-ietf-v6ops-nap-06.txt, which is now in the RFC Editor's > queue. While it doesn't tell SOHO gateway vendors exactly > what to do, it does I think make it clear that there is a > secure mass market IPv6 way forward that has no need for NAT. This is exactly the type of implict statement that I was concerned about. I am a practical person. I have two major goals and one secondary goals in the area of network protocols. My primary goal is to change the Internet infrastructure to make it a less favorable enviroment for Internet crime. My other principle goal is to make networks more robust and easier to use. The amount of network administration knowledge required today is absolutely ridiculous. I want to end my role in the 'friends and family' network administration plan. The impending IPv4 address crunch is a secondary issue for me personally. It is an issue I want to see solved. It is not an issue I can take the lead on addressing personally. Finding the right technology is one part of the problem. I have come to view it as the easy part. The much harder part is to persuade people to change what they are doing here. There are necessary and unnecessary battles here. The IETF at large has for many years fought a running battle attempting to educate security practitioners so that they understand that the concept of firewalls and perimeter security is entirely worthless and in fact harmful. Regardless of whether or not this is true the fact is that Cisco, Checkpoint, 3Com, Microsoft, Sun and every other vendor that is prominent in either the security world or for that matter the IETF sells security products that are based on this basic principle. The perimeter security model is of course visibly starting to reach a limit. But the solution that the market is looking at is not a return to the purity of the end to end security model but the precise opposite with ubiquitous policy enforcement throughout the network. This is a species of defense in depth. Whether or not it would be possible for the world to adopt a network architecture that does not employ NAT in IPv6 is at best merely an interesting academic question. If you have been following the debate on Deperimeterization you will know that the Jericho forum was founded with the explicit intention of causing the vendors to start producing interoperable networking infrastructure to support a defense in depth strategy where ubiquitous policy enforcement plays a key part. The limitiations set by NAT in such a network are irrelevant. No host is able to offer any form of service in such a network whether internal or external without explicit authorization to do so. The packets are simply not routed on the internal network. The governing principle becomes Default-Deny. The fixup required to make NAT work is neither complex nor onerous. There is an important and critical difference between a network and an inter-network. The security solutions which are appropriate in each case bear very little relation to each other.
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf