[LINK] www.ipv6.org.au/summit
Kim Holburn
kim.holburn at gmail.com
Sun Aug 31 17:37:45 AEST 2008
On 2008/Aug/31, at 8:00 AM, Jon Seymour wrote:
> On Sun, Aug 31, 2008 at 3:30 PM, Karl Auer <kauer at biplane.com.au>
> wrote:
>> Perhaps my point would be better stated as "NAT provides no security
>> benefit that cannot be obtained from a simple packet filter".
I don't agree with this really. A NAT router provides quite good
security even if installed by an idiot. A simple packet filter is
considerably harder to install, requires some knowledge of the network
topology and uses public IP numbers which are not cheap for
consumers. The decision of how many IP numbers to put in is kind of
fixed and may stop the consumer adding devices at some point without
understanding the network. It would be network design disaster
waiting to happen for most people. A simple packet filter gives away
all sorts of info. It may be possible to flood it in such a way as to
allow access to one or more machines behind it. A NAT router does not
allow this because there simply is no route in.
> Agreed. I also agree that pushing NATs towards the core is
> absolutely the
> wrong thing to be doing, but I think there is probably a certain
> economic
> inevitability in it unless Governments get serious about providing
> the right
> incentives to enable adoption of IPv6.
I remember reasonably recently reading a paper by one of the early
internet pioneers (I can't remember who at the moment, perhaps it was
Van Jacobson) saying that while TCP/IP was designed for a different
time and some aspects of the design are not necessarily appropriate to
today's internet. For instance the ability for any host on the
internet to contact any other host at full speed leads to serious
security issues. Pushing NAT up the chain is bad but it is a response
to some of the serious security problems with today's internet. Not
at all a good response and probably not an effective response when
what is probably needed is some redesign. Maybe IPv6 has some of this
covered, I don't know enough about it.
> My own preference would be a establish a tax on the use of IPv4
> address
> space which would provide an incentive for people to start using
> IPv6. What
> we absolutely don't want to do is to create a market for IPv4
> address space.
> Creating a market for IPv4 address space would create forces with
> powerful
> vested interests in the failure of IPv6 [ because adoption of IPv6
> would
> devalue the IPv4 address market, were such a thing to exist ].
>
> Unfortunately, I have no faith that this Government is enlightened
> enough to
> set up the right incentives. If anything they are more likely to
> welcome the
> possibilities of more centralized control of the net that
> NAT-towards-the-core offers.
>
> jon.
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the Link
mailing list