North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)

  • From: Mark Newton
  • Date: Wed Oct 03 05:46:53 2007

On Tue, Oct 02, 2007 at 10:33:43PM +0200, Iljitsch van Beijnum wrote:

 > On 2-okt-2007, at 16:10, Stephen Sprunk wrote:
 > >You can't trust the OS (Microsoft?  hah!), you can't trust the  
 > >application (malware), and you sure as heck can't trust the user  
 > >(industrial espionage and/or social engineering).  The only way  
 > >that address-embedding protocols can work through a firewall,  
 > >whether it's doing NAT or not, is to use an ALG.
 > You assume a model where some trusted party is in charge of a  
 > firewall that separates an untrustworthy outside and an untrustworthy  
 > inside. This isn't exactly the trust model for most consumer networks.

Err, it is.  Really, it is.  

Residential-grade customers employ trusted parties like "DLink",
"Alloy", "Alcatel", "Linksys", and various others to be in charge
of the firewall that separates the untrustworthy internet from
their inside network.

Corporate-grade customers employ trusted parties as staff.
SMEs are somewhere in between, often substituting their ISP as a
proxy for "staff."

Ether way you cut it, the model you've just dismissed is _exactly_
the way the real world works.

 > Also, why would you be able to trust what's inside the control  
 > protocol that the ALG looks at any better than anything else?

You can't.  So if the control protocol can possibly do anything bad,
the firewall administrator says, "Well, can't let this take control
of my network, I'll just block it."

... which breaks end-to-end reachability every bit as effectively
as a NAT box does, regardless of whether or not the firewall employs
NAT.  Which is why various correspondents in this thread have 
repeatedly pointed out that any assertion that an IPv6 Internet
is going to be any more end-to-end than an IPv4 Internet is delusional.

 > >The defense and healthcare industries will force vendors to write  
 > >those ALGs (actually, make minor changes to existing ones) if they  
 > >care about the protocols in question because they have no choice --  
 > >security is the law.
 > Seems to work well, that law.
 > But these people don't complain when their video streaming/chatting  
 > doesn't work out of the box.

<splutter>  Oh yes they do.  You better believe it.

   - mark

Mark Newton                               Email:  [email protected] (W)
Network Engineer                          Email:  [email protected]  (H)
Internode Systems Pty Ltd                 Desk:   +61-8-82282999
"Network Man" - Anagram of "Mark Newton"  Mobile: +61-416-202-223