RE: IPv6 NAT?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: Re: IPv6 NAT?
You know of an O/S that is not vulnerable to malware attacks? Please let me know the name, I haven't encountered one professionally since I was using OpenGenera in '95 and that was only secure because we had a more or less complete list with the names of every person who had ever successfully managed to learn the beast.
 
 
There is a way we could change security audit requirements, but it would involve rather more flexibility in approach than the IETF has been willing to accept. We would have to talk to the auditors and provide them with alternative means of achieving the ends that they consider important, not try to argue with the importance of those ends.


From: ietf-bounces@xxxxxxxx on behalf of Spencer Dawkins
Sent: Fri 15/02/2008 10:55 AM
To: Iljitsch van Beijnum; michael.dillon@xxxxxx
Cc: ietf@xxxxxxxx
Subject: Re: IPv6 NAT?

Well, accepting incoming IPv6 connections(!) through NATs would turn the
incoming-connection question from a technical issue into a
firewall-policy-only issue...

I'm with Dan that I don't see NATs disappearing in IPv6 - I remember in the
early days of the NAT working group (back when we thought our opinion about
NATs mattered) that someone got up and said their company had been audited,
and the auditors asked where the NATs were - apparently, this was (at that
time, at least) on audit checklists, and you got dinged if you weren't using
NATs, even if you were using firewalls (and even if you were using host OSes
that didn't roll over every time there was a virus outbreak, but I digress).

I'd love for that to change, but whether people agree about desirability or
not, we can all agree that it would be a change, I think.

Spencer

From: "Iljitsch van Beijnum" <iljitsch@xxxxxxxxx>


> On 15 feb 2008, at 16:09, <michael.dillon@xxxxxx> wrote:
>
>> Vendors need to agree on the timeout for mappings and on the
>> method for substituting prefixes. Even if ignoring port translation
>> seems obvious, a vendor who is adapting/upgrading old code might
>> include this in the absence of a standard.
>
> With 1-to-1 address translation without the port overloading the
> mappings can be static so there is no need for timeouts. And incoming
> connections can be translated just as easily as outgoing connections.
>
> One wonders whether the pro-NAT crowd would actually like something as
> open as that. Then again, emulating IPv4 NAT behavior just because
> it's the devil we know even though it would require a significant
> effort to create IPv6 versions of ALGs and then it would still get in
> the way of legitimate applications a whole lot isn't all that
> attractive, either.


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
http://www.ietf.org/mailman/listinfo/ietf

_______________________________________________

Ietf@xxxxxxxx
http://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]