Re: Rate of growth on IPv6 not fast enough?

[Owen DeLong <owen () delong com>]

On Apr 23, 2010, at 10:34 AM, Matthew Kaufman wrote:

> Matthew Kaufman wrote:
> > Jack Bates wrote:
> > > Matthew Kaufman wrote:
> > > > But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing 
> > > > the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also 
> > > > necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that 
> > > > other host, as that would expose information like which host you might want to attack in order to get access to 
> > > > the financial or medical records, as well as whether or not the executive floor is where these interesting website 
> > > > hits came from.
> > >
> > > Which is why some firewalls already support NAT for IPv6 in some form or fashion. These same firewalls will also 
> > > usually have layer 7 proxy/filtering support as well. The concerns and breakage of a corporate network are extreme 
> > > compared to non-corporate networks.
> > Agreed on the last point. And I'm following up mostly because I've received quite a few private messages that 
> > resulted from folks interpreting "hide internal topology" as "block access to internal topology" (which can be done 
> > with filters). What I mean when I say "hide internal topology" is that a passive observer on the outside, looking at 
> > something like web server access logs, cannot tell how many subnets are inside the corporation or which accesses 
> > come from which subnets. (And preferably, cannot tell whether or not two different accesses came from the same host 
> > or different hosts simply by examining the IP addresses... but yes, application-level cooperation -- in the form of 
> > a browser which keeps cookies, as an example -- can again expose that type of information)
>
> And to further clarify, I don't think "hide internal topology" is actually something that needs to happen (and can 
> show several ways in which it can be completely violated, including using the browser and/or browser plugins to 
> extract the internal addresses and send them to a server somewhere which can map it all out). But it *is* present as 
> a mandatory checklist item on at least one HIPPA and two SOX audit checklists I've seen,.. and IT departments in 
> major corporations care much more these days about getting a clean SOX audit than they do about providing 
> connectivity... and given how each affects the stock price, that's not surprising.
>
> Matthew Kaufman

Yes, much education is required to the audit community.

Owen