Firewall Wizards mailing list archives

Re: Off topic: Any one know of a good IPV6 reference book?

From: Paul Robertson <proberts () patriot net>
Date: Wed, 30 Jul 2003 20:10:35 -0400 (EDT)

On Tue, 29 Jul 2003, Jonn Martell wrote:

Doesn't V6 allow for end-to-end encryption and authentication?


SSL allows for end-to-end encryption and authentication.  That just 
doesn't happen to *solve* many of our problems.

That would solve a lot of issues for secure networks.  And with the cap 
off addresses, it should make thing very interesting.  It will change 
the Internet so that unauthenticated traffic will get a different class 
of service.


If your routers have to authenticate traffic to figure out the QoS for the 
traffic, you're going to have to do some significant infrastructure 
changes that don't just involve renumbering.  If you're going to defeat 
replay attacks, connection setup is going to suck.

NAT was a hack and although it works fine for small environments it 
falls apart for large user networks. The lack of auditing is pure 
nightmare for tracking down abuse from the inside in a large network.


You get as much auditing as you put in, no matter if the address space is 
routed externally or not- NAT adds nor subtracts from that equation.  Most 
switches solve that problem these days with 802.1x.  802.1x is your 
friend.  Embrace 802.1x.

I applaud the DOD efforts, they created the Internet and I have no doubt 
that mandating V6 will tip the scales for adoption. They did this in 
early 80 with IP, they'll do it again.


DoD really doesn't have a good reason for interoperating with the 
commercial Internet in peer to peer mode, in fact I'd be that many folks 
inside DoD wish they didn't ;)  

Anyway, Al Gore created the Internet ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Off topic: Any one know of a good IPV6 reference book? Marcus J. Ranum (Jul 28)
- RE: Off topic: Any one know of a good IPV6 reference book? Don Kendrick (Jul 29)
  - RE: Off topic: Any one know of a good IPV6 reference book? George Jones (Jul 29)
    - Re: Off topic: Any one know of a good IPV6 reference book? Joseph S D Yao (Jul 29)
    - Re: Off topic: Any one know of a good IPV6 reference book? Christopher Hicks (Jul 31)
    - Re: Off topic: Any one know of a good IPV6 reference book? H. Morrow Long (Jul 31)
    - Re: Off topic: Any one know of a good IPV6 reference book? Jonn Martell (Jul 30)
    - Re: Off topic: Any one know of a good IPV6 reference book? Paul Robertson (Jul 30)
- RE: Off topic: Any one know of a good IPV6 reference book? Christopher Hicks (Jul 29)
- RE: Off topic: Any one know of a good IPV6 reference book? David Lang (Jul 29)
- RE: Off topic: Any one know of a good IPV6 reference book? Dave Piscitello (Jul 30)