moving to IPv6

• Previous message (by thread): moving to IPv6
• Next message (by thread): moving to IPv6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 01:23 PM 11/3/97 -0500, Thomas Narten wrote:
>Fundamentally, security likes the idea that it trusts no one other
>than the originator of data and the ultimate destination of data. That
>means no one in between should be able to examine the data, much less
>modify any of it.  That includes NATs rewritting addresses. IPSec (and
>DNSSEC) do not allow addresses to be rewritten in packets. Full Stop.

Not to be contentious, but there are valid reasons why 
"addresses" should be very visible to the network and 
potentially subject to modification.   Just offhand, 
the ability to prevent malacious attacks and hunt down
fraud are valid reasons on their own for visibility 
for network operations. 

I agree 100% when it comes to payload, but network
addresses serve the network as much as the packet. 
To the extent that we start deploying networks with
more functionality (such as mail relaying and web
caching), then the same logic applies to DNS names.

/John

• Previous message (by thread): moving to IPv6
• Next message (by thread): moving to IPv6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]