On Sat, Aug 28, 2010 at 11:51 PM, Fernando Gont <fernando@xxxxxxxxxxx> wrote: > Florian Weimer wrote: >> Lack of NAT > > I am told that NAT for v6 is (ironically) among the most "asked for" > IPv6 features... > > Nevertheless, it wouldn't be a surprise to me that stateful v6 firewalls > take NAT's place, such that "only return traffic is allowed". That is one security use made of NAT, but reducing the amount of information leaked about the internal configuration of the network is another. I don't have to make my network 100% secure to be secure, all I need to do to reduce my number of attacks is to make my network a bit harder and a bit more expensive to attack than your network. >> and an expectation of end-to-end reachability seem quite >> fundamentally different from IPv4 as it is deployed to day. > > As ironic as it may sound, some people are actually *concerned* about > this. (no, not *me*) It is hardly ironic. Pretty much all functionality can be employed by the bad guys as well as the good ones. So increasing the benefit to the good guys will inevitably increase the functionality for the bad ones. That is why security conscious people think twice before adding functionality that they do not intend to use. And very security conscious people run default-deny networks where 'nothing should happen without a reason (SM)'. Looking at this thread,we have two ex-chairs who are not security specialists attacking a security specialist as 'ill-informed' when in fact they are merely repeating an ideological view of security that has negligible support outside the IETF. That is a really bad way to approach security. There is more to security than throwing cryptography at packets. -- Website: http://hallambaker.com/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf