North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)

  • From: Stephen Sprunk
  • Date: Tue Oct 02 11:23:11 2007

Thus spake "Iljitsch van Beijnum" <[email protected]>
On 2-okt-2007, at 15:05, Adrian Chadd wrote: 
Please explain how you plan on getting rid of those protocol-
aware plugins when IPv6 is widely deployed in environments
with -stateful firewalls-.

You just open up a hole in the firewall where appropriate.

You can have an ALG, the application or the OS do this. As you probably know by now, I don't favor the ALG approach.

You obviously have no experience working in security. You can't trust the OS (Microsoft? hah!), you can't trust the application (malware), and you sure as heck can't trust the user (industrial espionage and/or social engineering). The only way that address-embedding protocols can work through a firewall, whether it's doing NAT or not, is to use an ALG.

The defense and healthcare industries will force vendors to write those ALGs (actually, make minor changes to existing ones) if they care about the protocols in question because they have no choice -- security is the law. And, once those ALGs are available, everyone else will use them.

Even for home users, most have zero clue how to "open a hole" in their home firewall. Consumer OSes are far, far too insecure to let them sit exposed without a firewall by default (you can't even patch a Windows system before it's hacked), and we can't trust end users not to run malware that will open holes for them.

End-to-end-ness is and has be-en "busted" in the corporate
world AFAICT for a number of years. IPv6 "people" seem to
think that simply providing globally unique addressing to all
endpoints will remove NAT and all associated trouble. Guess
what - it probably won't.


If you don't want end-to-end, be a man (or woman) and use a
proxy.   Don't tell the applications they they are connected to the
rest of the world and then pull the rug from under them. This
works in IPv4 today but don't expect this to carry over to IPv6.
At least not without a long, bloody fight.

If you think anyone will be deploying v6 without a stateful firewall, you're delusional. That battle is long over. The best we can hope for is that those personal firewalls won't do NAT as well.

S

Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking