Re: [Full-disclosure] IPv6 security myths

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>>>> "Dave" == Dave CROCKER <dhc2@xxxxxxxxxxxx> writes:
    >> The major*security* advantage of IPv6 is that it removes 90% of
    >> complexity of IPv4 networks that results from layers of NAT, and
    >> then series of port-forwards through them.

    Dave> That's an operational hope, not a technical or operational
    Dave> fact.

    Dave> It is predicated on the belief that small address space is the
    Dave> only reason we have NATs.  There's plenty of evidence for
    Dave> additional reasons which IPv6 does not eliminate.

    Dave> Ergo, your listed major security advantage is on extremely
    Dave> soft ground, possibly qualifying as quicksand...

NAT66, where the "private" address is a globally unique, and whois'able
address is does not change the simplifications.  (This is a reason I
dislike ULA-R, and I've argued for a liberalized approach to allocations
to non-connected networks over at arin-ppml)

But, 90% of the situations where I see hopelessly complicated networks
full of crazy NAPT4 are not at "professional" enterprises where they did
it on purpose.  It's at SOHO networks where NAPT4 "routers" are used to
"extend" a connection for multiple things.  

For instance, a reason to create a new network "zone" is because we
don't provide printers with decent access control lists (authorization),
instead, we make them wide open and then throw WPA on the wireless so
that it's "secure", and then assume if you've authenticated, you are
authorized to print. 
IPv6 would make that a new subnet, no additional layer of NAT, and do
the authorization by IP address.  (with SEND to secure the mapping!)

>From what I can see, most of the disasters of IPv4 I've seen are the
result of semi-professionals applying what they learnt wiring up their
home (and their mother-in-laws' house), and then applying the same thing
elsewhere.

So, if we get the home/residential experience right for IPv6, then I
think we will clean up the worst situations I've seen. 
The enterprises which inflict pain on themselves with NAT44 and
therefore NAT66, for "security" reasons will at least be in charge of
their own fate.

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]