Phillip Hallam-Baker wrote: >> Nevertheless, it wouldn't be a surprise to me that stateful v6 firewalls >> take NAT's place, such that "only return traffic is allowed". > > That is one security use made of NAT, but reducing the amount of > information leaked about the internal configuration of the network is > another. > > I don't have to make my network 100% secure to be secure, all I need > to do to reduce my number of attacks is to make my network a bit > harder and a bit more expensive to attack than your network. Agreed. I just meant that even without v6 NATs, it shouldn't come as a surprise if end-to-end connectivity is *not* restored by IPv6. >>> and an expectation of end-to-end reachability seem quite >>> fundamentally different from IPv4 as it is deployed to day. >> As ironic as it may sound, some people are actually *concerned* about >> this. (no, not *me*) > > It is hardly ironic. Pretty much all functionality can be employed by > the bad guys as well as the good ones. So increasing the benefit to > the good guys will inevitably increase the functionality for the bad > ones. Please let me re-phrase "It's ironic that what's supposed to be one of the motivations for IPv6 is something that actually concerns many people". (i.e., some see this as a "selling point", but for quite a few of those that are expected to be "buyers" this is actually a concern). -- Me, I wouldn't have my own systems reachable end-to-end unless there's good reason for doing that. > Looking at this thread,we have two ex-chairs who are not security > specialists attacking a security specialist as 'ill-informed' when in > fact they are merely repeating an ideological view of security that > has negligible support outside the IETF. That is a really bad way to > approach security. > > There is more to security than throwing cryptography at packets. Agreed. The work that we have done at CPNI on TCP & IP is probably along those lines (i.e., more than throwing crypto) -- see http://www.gont.com.ar/papers Thanks! Kind regards, -- Fernando Gont e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf