RE: IPv6 NAT?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPv6 NAT?

Title: Re: IPv6 NAT?
You know of an O/S that is not vulnerable to malware attacks? Please let me know the name, I haven't encountered one professionally since I was using OpenGenera in '95 and that was only secure because we had a more or less complete list with the names of every person who had ever successfully managed to learn the beast.
 
 
There is a way we could change security audit requirements, but it would involve rather more flexibility in approach than the IETF has been willing to accept. We would have to talk to the auditors and provide them with alternative means of achieving the ends that they consider important, not try to argue with the importance of those ends.

From: ietf-bounces at ietf.org on behalf of Spencer Dawkins
Sent: Fri 15/02/2008 10:55 AM
To: Iljitsch van Beijnum; michael.dillon at bt.com
Cc: ietf at ietf.org
Subject: Re: IPv6 NAT?

Well, accepting incoming IPv6 connections(!) through NATs would turn the
incoming-connection question from a technical issue into a
firewall-policy-only issue...

I'm with Dan that I don't see NATs disappearing in IPv6 - I remember in the
early days of the NAT working group (back when we thought our opinion about
NATs mattered) that someone got up and said their company had been audited,
and the auditors asked where the NATs were - apparently, this was (at that
time, at least) on audit checklists, and you got dinged if you weren't using
NATs, even if you were using firewalls (and even if you were using host OSes
that didn't roll over every time there was a virus outbreak, but I digress).

I'd love for that to change, but whether people agree about desirability or
not, we can all agree that it would be a change, I think.

Spencer

From: "Iljitsch van Beijnum" <iljitsch at muada.com>


> On 15 feb 2008, at 16:09, <michael.dillon at bt.com> wrote:
>
>> Vendors need to agree on the timeout for mappings and on the
>> method for substituting prefixes. Even if ignoring port translation
>> seems obvious, a vendor who is adapting/upgrading old code might
>> include this in the absence of a standard.
>
> With 1-to-1 address translation without the port overloading the
> mappings can be static so there is no need for timeouts. And incoming
> connections can be translated just as easily as outgoing connections.
>
> One wonders whether the pro-NAT crowd would actually like something as
> open as that. Then again, emulating IPv4 NAT behavior just because
> it's the devil we know even though it would require a significant
> effort to create IPv6 versions of ALGs and then it would still get in
> the way of legitimate applications a whole lot isn't all that
> attractive, either.


_______________________________________________
Ietf mailing list
Ietf at ietf.org
http://www.ietf.org/mailman/listinfo/ietf

_______________________________________________
Ietf mailing list
Ietf at ietf.org
http://www.ietf.org/mailman/listinfo/ietf

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.