Rate of growth on IPv6 not fast enough?
Matthew Kaufman
matthew at matthew.at
Fri Apr 23 17:34:18 UTC 2010
Matthew Kaufman wrote:
> Jack Bates wrote:
>> Matthew Kaufman wrote:
>>> But none of this does what NAT does for a big enterprise, which is
>>> to *hide internal topology*. Yes, addressing the privacy concerns
>>> that come from using lower-64-bits-derived-from-MAC-address is
>>> required, but it is also necessary (for some organizations) to make
>>> it impossible to tell that this host is on the same subnet as that
>>> other host, as that would expose information like which host you
>>> might want to attack in order to get access to the financial or
>>> medical records, as well as whether or not the executive floor is
>>> where these interesting website hits came from.
>>>
>>
>> Which is why some firewalls already support NAT for IPv6 in some form
>> or fashion. These same firewalls will also usually have layer 7
>> proxy/filtering support as well. The concerns and breakage of a
>> corporate network are extreme compared to non-corporate networks.
> Agreed on the last point. And I'm following up mostly because I've
> received quite a few private messages that resulted from folks
> interpreting "hide internal topology" as "block access to internal
> topology" (which can be done with filters). What I mean when I say
> "hide internal topology" is that a passive observer on the outside,
> looking at something like web server access logs, cannot tell how many
> subnets are inside the corporation or which accesses come from which
> subnets. (And preferably, cannot tell whether or not two different
> accesses came from the same host or different hosts simply by
> examining the IP addresses... but yes, application-level cooperation
> -- in the form of a browser which keeps cookies, as an example -- can
> again expose that type of information)
>
And to further clarify, I don't think "hide internal topology" is
actually something that needs to happen (and can show several ways in
which it can be completely violated, including using the browser and/or
browser plugins to extract the internal addresses and send them to a
server somewhere which can map it all out). But it *is* present as a
mandatory checklist item on at least one HIPPA and two SOX audit
checklists I've seen,.. and IT departments in major corporations care
much more these days about getting a clean SOX audit than they do about
providing connectivity... and given how each affects the stock price,
that's not surprising.
Matthew Kaufman
More information about the NANOG
mailing list