Rate of growth on IPv6 not fast enough?

Matthew Kaufman matthew at matthew.at
Fri Apr 23 17:16:10 UTC 2010


Jack Bates wrote:
> Matthew Kaufman wrote:
>> But none of this does what NAT does for a big enterprise, which is to 
>> *hide internal topology*. Yes, addressing the privacy concerns that 
>> come from using lower-64-bits-derived-from-MAC-address is required, 
>> but it is also necessary (for some organizations) to make it 
>> impossible to tell that this host is on the same subnet as that other 
>> host, as that would expose information like which host you might want 
>> to attack in order to get access to the financial or medical records, 
>> as well as whether or not the executive floor is where these 
>> interesting website hits came from.
>>
>
> Which is why some firewalls already support NAT for IPv6 in some form 
> or fashion. These same firewalls will also usually have layer 7 
> proxy/filtering support as well. The concerns and breakage of a 
> corporate network are extreme compared to non-corporate networks.
Agreed on the last point. And I'm following up mostly because I've 
received quite a few private messages that resulted from folks 
interpreting "hide internal topology" as "block access to internal 
topology" (which can be done with filters). What I mean when I say "hide 
internal topology" is that a passive observer on the outside, looking at 
something like web server access logs, cannot tell how many subnets are 
inside the corporation or which accesses come from which subnets. (And 
preferably, cannot tell whether or not two different accesses came from 
the same host or different hosts simply by examining the IP addresses... 
but yes, application-level cooperation -- in the form of a browser which 
keeps cookies, as an example -- can again expose that type of information)


Matthew Kaufman




More information about the NANOG mailing list