Re: OMB: IPv6 by June 2008

["Christopher L. Morrow" <christopher.morrow () mci com>]

On Fri, 1 Jul 2005, Mohacsi Janos wrote:

> On Fri, 1 Jul 2005, Christopher L. Morrow wrote:
> > On Fri, 1 Jul 2005, Mohacsi Janos wrote:
> > > On Fri, 1 Jul 2005, Christopher L. Morrow wrote:
> > >
> > > > On Fri, 1 Jul 2005, Mohacsi Janos wrote:
> > > > > > This keeps coming up in each discussion about v6, 'what security measures'
> > > > > > is never really defined in any real sense. As near as I can tell it's
> > > > > > level of 'security' is no better (and probably worse at the outset, for
> > > > > > the implementations not the protocol itself)  than v4. I could be wrong,
> > > > > > but I'm just not seeing any 'inherent security' in v6, and selling it that
> > > > > > way is just a bad plan.
> > > > >
> > > > > Just name a few:
> > > > > - Possibility to end-to-end IPSec.
> > > >
> > > > exists in v4
> > >
> > > Not exactly. Try to setup IPSec nodes behind NAT boxes. IPSec is speaking
> > > about possibility of e2e security.
> >
> > this changes how in v6+nat?
>
> There is not need for NAT in IPv6. Use instead NAP (i.e. Network
> Architecture Protection).

you are ignoring the reality... people WILL want v6 and nat :( it might be
ugly and distasteful, but the fact remains that people will want and will
require nat.

> > > > > - Privacy enhanced addresses - not tracking usage based on addresses
> > > >
> > > > dhcp can do this for you (v4 has mechanisms for this)
> > >
> > > DHCP does not provide privacy, just address management. Can you
> > > communicate on IPv4 the following way?: - different service - different
> > > source IP address?
> >
> > yes. look at bitchx, or ssh ... corner cases to be sure, but still
> > feasible. (or simple example: vhosted webserver) As to dhcp, it can
> > provide the address privacy you seek, just use very short leases. (yes,
> > it's messy, but it'd work mostly)
>
> Are you speaking about the following? :
> What I am talking to x service my source address is a1. x see me as a1.
> In the same time when I am talking to y service my source address is a2. y
> see me as a2.

I am speaking of that yes. with the 2 applications I named above (bitchx
and ssh) you can indeed appear to be 2 different ip address to 2 different
services/destinations...

> Can I have more than 1 address with DHCP in the same time?

I believe you could do multiple dhcp addresses for multiple interfaces on
one box. atleast with a modernish unix that seems quite feasible.

> > > Have you tried to find out in a IPv4 NAT environment where the virus/worm
> > > flood is coming? - Most of the situation it is coming from the NAT box -
> >
> > actually that's kind of my daily job... it seems to work fine for me so
> > far.
>
> Because you have all the tools and knowledge. But most of the
> users/admins do not have these.

perhaps... but tcpdump/snort/<pc-sniffer-of-choice> will make that problem
easy for them as well.

> > > not because NAT box was infected, but because nodes behind NAT was
> > > infected. Most of the cases admins of the networks behind NAT boxes not
> > > knowledgeable enough where to look in this cases. So IPv6 can improve e2e
> > > accountability that is part of the security.
> >
> > because it removes the 'requirement' for NAT? or in some other magical
> > way? If you look/listen to the users of NAT, a large proportion of them
> > will continue to use NAT in v6 (or have stated they will)... I'm not sure
> > your above arguement is as valid as you'd like it to be :(
>
> Probably they will use NAT for IPv4, because they don't have other option,
> but they will use IPv6 with proper stateful firewall. Argument that NAT is
> providing security is not valid....

the arguement is that NAT is required because people want it, regardless
of your engineering arguement about how ugly nat and v6 is/will-be :(