nanog mailing list archives
Re: Creating demand for IPv6
From: Mark Smith <nanog () 85d5b20a518b8f6864949bd940457dc124746ddc nosense org>
Date: Wed, 3 Oct 2007 20:50:24 +0930
On Tue, 2 Oct 2007 23:20:54 -0400 "William Herrin" <herrin-nanog () dirtside com> wrote:
On 10/2/07, Randy Bush <randy () psg com> wrote:During early phase of free pool exhaustion, when you can't deliver more IPv4 addresses to your customers you lose the customer to a hosting provider who still has addresses left. So sorry. Those will be some nasty years. Unless you're Cogent, Level3 or one of the others sitting pretty on a /8. They'll be in phat city.this is a very real and significant problem. a very small fraction of the arin membership holds the vast majority of the address space. it would be interesting to ask arin to give us the cdf of this.
<snip>
I'd love to have an Internet where all firewalls were packet filters. But that's not my call. That's the call of hundreds of thousands of network security officers who have NAT written in stone at the core of their security process. Tying NAT's abandonment to IPv6's deployment won't change their minds but it will doom IPv6.
The value of network perimeterisation as a security measure, of which NAT is a method, is being questioned significantly by network security people. The obvious example of why it is being questioned is when the CEO brings their laptop inside the "gooey" centre, bypassing the "hard shell" corporate firewalling/NAT box, and infecting all the devices on the corporate network with the malware they've caught from their home broadband connection. "The de-perimeterization solution Solution While traditional security solutions like network boundary technology will continue to have their roles, we must respond to their limitations. In a fully de-perimeterized network, every component will be independently secure, requiring systems and data protection on multiple levels, using a mixture of * encryption * inherently-secure computer protocols * inherently-secure computer systems * data-level authentication" http://www.opengroup.org/jericho/ Having found out about this project, I spoke to a friend of mine in the local state government (around 10 000+ public servants) i.e. not a big one, not a prominent one, and not likely to be a early adopter of different IT security models. They're moving to this model in the very near future, because they have to.
So if more addresses was "thoroughly mitigated by NAT", when were these problems that NAT creates fixed? http://www.cs.utk.edu/~moore/what-nats-break.htmlMany of those never were meaningful problems and most of the rest have been obsoleted by the changing reality of network security on the Internet. Things like controlling the source port meant something once upon a time, but they have no place in a modern security infrastructure. That would be true with or without NAT. The -real- problems with NAT can be summed up in two statements: 1. NAT makes it more difficult to engage in certain popular activities that strictly speaking are against the TOS. 2. NAT makes logging and accountability more difficult. Regards, Bill Herrin -- William D. Herrin herrin () dirtside com bill () herrin us 3005 Crane Dr. Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
-- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
Current thread:
- Re: Creating demand for IPv6, (continued)
- Re: Creating demand for IPv6 William Herrin (Oct 03)
- RE: Creating demand for IPv6 michael.dillon (Oct 03)
- Re: Creating demand for IPv6 William Herrin (Oct 03)
- RE: Creating demand for IPv6 michael.dillon (Oct 03)
- Re: Creating demand for IPv6 Joe Abley (Oct 03)
- RE: Creating demand for IPv6 michael.dillon (Oct 03)
- Re: Creating demand for IPv6 Nathan Ward (Oct 03)
- Re: Creating demand for IPv6 William Herrin (Oct 03)
- RE: Creating demand for IPv6 michael.dillon (Oct 04)
- Re: Creating demand for IPv6 Nathan Ward (Oct 04)
- Re: Creating demand for IPv6 Mark Smith (Oct 03)
- Re: Creating demand for IPv6 William Herrin (Oct 03)
- Re: Creating demand for IPv6 Tony Finch (Oct 03)
- Re: Creating demand for IPv6 John Curran (Oct 02)
- Re: Creating demand for IPv6 Jon Lewis (Oct 02)
- Message not available
- Re: Creating demand for IPv6 William Herrin (Oct 02)
- Re: Creating demand for IPv6 Mark Smith (Oct 02)
- Re: Creating demand for IPv6 David Conrad (Oct 02)
- Re: Creating demand for IPv6 Paul Vixie (Oct 02)
- Re: Creating demand for IPv6 Mark Smith (Oct 03)
- Re: Creating demand for IPv6 Joe Greco (Oct 03)