Rate of growth on IPv6 not fast enough?

Matthew Kaufman matthew at matthew.at
Fri Apr 23 12:34:18 CDT 2010


Matthew Kaufman wrote:
> Jack Bates wrote:
>> Matthew Kaufman wrote:
>>> But none of this does what NAT does for a big enterprise, which is 
>>> to *hide internal topology*. Yes, addressing the privacy concerns 
>>> that come from using lower-64-bits-derived-from-MAC-address is 
>>> required, but it is also necessary (for some organizations) to make 
>>> it impossible to tell that this host is on the same subnet as that 
>>> other host, as that would expose information like which host you 
>>> might want to attack in order to get access to the financial or 
>>> medical records, as well as whether or not the executive floor is 
>>> where these interesting website hits came from.
>>>
>>
>> Which is why some firewalls already support NAT for IPv6 in some form 
>> or fashion. These same firewalls will also usually have layer 7 
>> proxy/filtering support as well. The concerns and breakage of a 
>> corporate network are extreme compared to non-corporate networks.
> Agreed on the last point. And I'm following up mostly because I've 
> received quite a few private messages that resulted from folks 
> interpreting "hide internal topology" as "block access to internal 
> topology" (which can be done with filters). What I mean when I say 
> "hide internal topology" is that a passive observer on the outside, 
> looking at something like web server access logs, cannot tell how many 
> subnets are inside the corporation or which accesses come from which 
> subnets. (And preferably, cannot tell whether or not two different 
> accesses came from the same host or different hosts simply by 
> examining the IP addresses... but yes, application-level cooperation 
> -- in the form of a browser which keeps cookies, as an example -- can 
> again expose that type of information)
>

And to further clarify, I don't think "hide internal topology" is 
actually something that needs to happen (and can show several ways in 
which it can be completely violated, including using the browser and/or 
browser plugins to extract the internal addresses and send them to a 
server somewhere which can map it all out). But it *is* present as a 
mandatory checklist item on at least one HIPPA and two SOX audit 
checklists I've seen,.. and IT departments in major corporations care 
much more these days about getting a clean SOX audit than they do about 
providing connectivity... and given how each affects the stock price, 
that's not surprising.

Matthew Kaufman




More information about the NANOG mailing list