OMB: IPv6 by June 2008

Fri Jul 1 19:47:45 UTC 2005

On Fri, 1 Jul 2005, Mohacsi Janos wrote:

> On Fri, 1 Jul 2005, Christopher L. Morrow wrote:
> >
> > On Fri, 1 Jul 2005, Mohacsi Janos wrote:
> >>
> >> On Fri, 1 Jul 2005, Christopher L. Morrow wrote:
> >>
> >>> On Fri, 1 Jul 2005, Mohacsi Janos wrote:
> >>>>>
> >>>>> This keeps coming up in each discussion about v6, 'what security measures'
> >>>>> is never really defined in any real sense. As near as I can tell it's
> >>>>> level of 'security' is no better (and probably worse at the outset, for
> >>>>> the implementations not the protocol itself)  than v4. I could be wrong,
> >>>>> but I'm just not seeing any 'inherent security' in v6, and selling it that
> >>>>> way is just a bad plan.
> >>>>>
> >>>>
> >>>> Just name a few:
> >>>> - Possibility to end-to-end IPSec.
> >>>
> >>> exists in v4
> >>
> >> Not exactly. Try to setup IPSec nodes behind NAT boxes. IPSec is speaking
> >> about possibility of e2e security.
> >
> > this changes how in v6+nat?
> >
>
> There is not need for NAT in IPv6. Use instead NAP (i.e. Network
> Architecture Protection).

you are ignoring the reality... people WILL want v6 and nat :( it might be
ugly and distasteful, but the fact remains that people will want and will
require nat.

> >>>> - Privacy enhanced addresses - not tracking usage based on addresses
> >>>
> >>> dhcp can do this for you (v4 has mechanisms for this)
> >>
> >> DHCP does not provide privacy, just address management. Can you
> >> communicate on IPv4 the following way?: - different service - different
> >> source IP address?
> >>
> >
> > yes. look at bitchx, or ssh ... corner cases to be sure, but still
> > feasible. (or simple example: vhosted webserver) As to dhcp, it can
> > provide the address privacy you seek, just use very short leases. (yes,
> > it's messy, but it'd work mostly)
>
> Are you speaking about the following? :
> What I am talking to x service my source address is a1. x see me as a1.
> In the same time when I am talking to y service my source address is a2. y
> see me as a2.

I am speaking of that yes. with the 2 applications I named above (bitchx
and ssh) you can indeed appear to be 2 different ip address to 2 different
services/destinations...

>
> Can I have more than 1 address with DHCP in the same time?
>

I believe you could do multiple dhcp addresses for multiple interfaces on
one box. atleast with a modernish unix that seems quite feasible.

> >>
> >> Have you tried to find out in a IPv4 NAT environment where the virus/worm
> >> flood is coming? - Most of the situation it is coming from the NAT box -
> >
> > actually that's kind of my daily job... it seems to work fine for me so
> > far.
>
> Because you have all the tools and knowledge. But most of the
> users/admins do not have these.

perhaps... but tcpdump/snort/<pc-sniffer-of-choice> will make that problem
easy for them as well.

>
> >
> >> not because NAT box was infected, but because nodes behind NAT was
> >> infected. Most of the cases admins of the networks behind NAT boxes not
> >> knowledgeable enough where to look in this cases. So IPv6 can improve e2e
> >> accountability that is part of the security.
> >>
> >
> > because it removes the 'requirement' for NAT? or in some other magical
> > way? If you look/listen to the users of NAT, a large proportion of them
> > will continue to use NAT in v6 (or have stated they will)... I'm not sure
> > your above arguement is as valid as you'd like it to be :(
>
> Probably they will use NAT for IPv4, because they don't have other option,
> but they will use IPv6 with proper stateful firewall. Argument that NAT is
> providing security is not valid....
>

the arguement is that NAT is required because people want it, regardless
of your engineering arguement about how ugly nat and v6 is/will-be :(