[arin-ppml] IPv6 Non-connected networks

Michael Richardson mcr at sandelman.ca
Mon Mar 22 20:48:52 EDT 2010 

>>>>> "Chris" == Chris Engel <cengel at sponsordirect.com> writes:
    Chris> Owen Delong wrote:



    Chris> # ULA-C isn't going to be blocks which don't work on the
    Chris> internet. It's # going to be blocks which people expect not
    Chris> to work on the internet, but, # really they do under some
    Chris> circumstances.  End result, a false sense of security which
    Chris> is # worse than no security.

    Chris> # NAT != Security # Address Obfuscation != Security #
    Chris> Misconfiguration == Insecurity

    Chris> # Belief otherwise merely increases risk.


    Chris> I've got to take some issue with your above statements
    Chris> Owen. NAT and Address Obfuscation ARE security mechanisms
    Chris> (albiet not fool-proof ones, but I've yet to see a fool-proof

This is what security experts (LIKE MYSELF) call:
     depth-in-security

I regularly argue with these johnny-come-lately security "experts",
because they rarely understand the tradeoffs of each layer of security.

The major advantage of ULA-C is that is provides a much better way to
audit what is what, particularly when there are multiple organizations
connecting together in various ways.

It also permits sane auditing of multiple remote-access connections from
laptops/etc. for visiting consultants, etc.

ULA-C for NCN is much more robust than "tainted" GUA as far as failing
closed. 

But, for it to have any value over RFC1918 (i.e. NOT USING IPv6), it has
to solve problems which RFC1918 has caused. 

Split-DNS is one of those things. (I started implementing split-DNS
systems back in 1992... It was useable then because nobody had
laptops.  By the time it became universal for enterprises, it was
unworkably useless, and /etc/hosts or literal IPs began to replace it)

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition.

More information about the ARIN-PPML mailing list