|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: OMB: IPv6 by June 2008
Christopher L. Morrow wrote: On Fri, 1 Jul 2005, Mohacsi Janos wrote:On Fri, 1 Jul 2005, Christopher L. Morrow wrote:On Fri, 1 Jul 2005, Mohacsi Janos wrote:On Fri, 1 Jul 2005, Christopher L. Morrow wrote:On Fri, 1 Jul 2005, Mohacsi Janos wrote:This keeps coming up in each discussion about v6, 'what security measures' is never really defined in any real sense. As near as I can tell it's level of 'security' is no better (and probably worse at the outset, for the implementations not the protocol itself) than v4. I could be wrong, but I'm just not seeing any 'inherent security' in v6, and selling it that way is just a bad plan.Just name a few: - Possibility to end-to-end IPSec.exists in v4 Is broken by NAT Not exactly. Try to setup IPSec nodes behind NAT boxes. IPSec is speaking about possibility of e2e security.this changes how in v6+nat? That is why there is no NAT in IPv6 and God help there will never be NAT in v6. There is not need for NAT in IPv6. Use instead NAP (i.e. Network Architecture Protection).you are ignoring the reality... people WILL want v6 and nat :( it might be ugly and distasteful, but the fact remains that people will want and will require nat. People will want IPv9 with total gouvernement control. Especially in China and the US. P2P is broken with NAT. They are 90% of internet users. With NAT there is no VoIP, no FTP, no DNS, no ... Just try and put two servers behind NAT - that is, if your server and your NAT-box support eachother. - Privacy enhanced addresses - not tracking usage based on addressesdhcp can do this for you (v4 has mechanisms for this)DHCP does not provide privacy, just address management. Can you communicate on IPv4 the following way?: - different service - different source IP address?yes. look at bitchx, or ssh ... corner cases to be sure, but still feasible. (or simple example: vhosted webserver) As to dhcp, it can provide the address privacy you seek, just use very short leases. (yes, it's messy, but it'd work mostly)Are you speaking about the following? : What I am talking to x service my source address is a1. x see me as a1. In the same time when I am talking to y service my source address is a2. y see me as a2.I am speaking of that yes. with the 2 applications I named above (bitchx and ssh) you can indeed appear to be 2 different ip address to 2 different services/destinations...Can I have more than 1 address with DHCP in the same time?I believe you could do multiple dhcp addresses for multiple interfaces on one box. atleast with a modernish unix that seems quite feasible.Have you tried to find out in a IPv4 NAT environment where the virus/worm flood is coming? - Most of the situation it is coming from the NAT box -actually that's kind of my daily job... it seems to work fine for me so far.Because you have all the tools and knowledge. But most of the users/admins do not have these.perhaps... but tcpdump/snort/<pc-sniffer-of-choice> will make that problem easy for them as well.not because NAT box was infected, but because nodes behind NAT was infected. Most of the cases admins of the networks behind NAT boxes not knowledgeable enough where to look in this cases. So IPv6 can improve e2e accountability that is part of the security.because it removes the 'requirement' for NAT? or in some other magical way? If you look/listen to the users of NAT, a large proportion of them will continue to use NAT in v6 (or have stated they will)... I'm not sure your above arguement is as valid as you'd like it to be :( There never was a need for flat tyres or NAT. The only reason for NAT is a lot of peaple running out of IPv4 address space. Whatever security nonesense was told of NAT was just hype to justify NAT breaking almost every existing or newly invented protocol. Probably they will use NAT for IPv4, because they don't have other option, but they will use IPv6 with proper stateful firewall. Argument that NAT is providing security is not valid....the arguement is that NAT is required because people want it, regardless of your engineering arguement about how ugly nat and v6 is/will-be :( NAT is only good to prevent people from communicating with eachother. The perfect NAT is IPv9 as deployed in china. You dont need IPv6. Stay with IPv4 and we will map all addresses that are good for you into your personal IPv4 address space. You dont need to send emails directly to everybody. We will do that for you. You dont need to be afraid of SPAM. We will take care of that for you. What do you need of PC for? Free tv for erybody is good enuf for you! Have a nice weekend, Peter and Karin Dambier -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) +1-360-448-1275 (VoIP: freeworldialup.com) +1-360-226-6583-9563 (INAIC) mail: [email protected] http://iason.site.voila.fr http://www.kokoom.com/iason
|