[LINK] www.ipv6.org.au/summit

Kim Holburn kim.holburn at gmail.com
Sun Aug 31 17:37:45 AEST 2008


On 2008/Aug/31, at 8:00 AM, Jon Seymour wrote:

> On Sun, Aug 31, 2008 at 3:30 PM, Karl Auer <kauer at biplane.com.au>  
> wrote:
>> Perhaps my point would be better stated as "NAT provides no security
>> benefit that cannot be obtained from a simple packet filter".

I don't agree with this really.  A NAT router provides quite good  
security even if installed by an idiot.  A simple packet filter is  
considerably harder to install, requires some knowledge of the network  
topology and uses public IP numbers which are not cheap for  
consumers.  The decision of how many IP numbers to put in is kind of  
fixed and may stop the consumer adding devices at some point without  
understanding the network.  It would be network design disaster  
waiting to happen for most people.  A simple packet filter gives away  
all sorts of info.  It may be possible to flood it in such a way as to  
allow access to one or more machines behind it.  A NAT router does not  
allow this because there simply is no route in.

> Agreed. I also agree that pushing NATs towards the core is  
> absolutely the
> wrong thing to be doing, but I think there is probably a certain  
> economic
> inevitability in it unless Governments get serious about providing  
> the right
> incentives to enable adoption of IPv6.

I remember reasonably recently reading a paper by one of the early  
internet pioneers (I can't remember who at the moment, perhaps it was  
Van Jacobson) saying that while TCP/IP was designed for a different  
time and some aspects of the design are not necessarily appropriate to  
today's internet.  For instance the ability for any host on the  
internet to contact any other host at full speed leads to serious  
security issues.  Pushing NAT up the chain is bad but it is a response  
to some of the serious security problems with today's internet.  Not  
at all a good response and probably not an effective response when  
what is probably needed is some redesign.  Maybe IPv6 has some of this  
covered, I don't know enough about it.

> My own preference would be a establish a tax on the use of IPv4  
> address
> space which would provide an incentive for people to start using  
> IPv6. What
> we absolutely don't want to do is to create a market for IPv4  
> address space.
> Creating a market for IPv4 address space would create forces with  
> powerful
> vested interests in the failure of IPv6 [ because adoption of IPv6  
> would
> devalue the IPv4 address market, were such a thing to exist ].
>
> Unfortunately, I have no faith that this Government is enlightened  
> enough to
> set up the right incentives. If anything they are more likely to  
> welcome the
> possibilities of more centralized control of the net that
> NAT-towards-the-core offers.
>
> jon.
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961






More information about the Link mailing list