[arin-ppml] IPv6 Non-connected networks
Owen DeLong
owen at delong.com
Mon Mar 22 23:22:23 EDT 2010
>
> This is what security experts (LIKE MYSELF) call:
> depth-in-security
>
This is most definitely the shallow end of "defense-in-depth" which is
what those of us who have been around long enough to remember
the era before Brent Chapman wrote a book on the subject call it.
>
> The major advantage of ULA-C is that is provides a much better way to
> audit what is what, particularly when there are multiple organizations
> connecting together in various ways.
>
A better way to audit than what? Since you haven't identified what you
are comparing it to in this statement, it is unclear whether you mean
GUA, ULA-Random, what I am calling GUA-Tainted (which does not
necessarily have any distinction on the wire from ULA-C, only in the
policy and fee structure details), or some other idea.
> It also permits sane auditing of multiple remote-access connections from
> laptops/etc. for visiting consultants, etc.
>
Again, I don't see the distinction here, but, maybe with a distinct point of
comparison, that would be easier.
> ULA-C for NCN is much more robust than "tainted" GUA as far as failing
> closed.
>
Still not seeing it. ULA-C is a set of numbers tagged as not-routable by
address policy convention.
GUA-Tainted is a set of numbers tagged as not-routable by address
policy convention.
In fact, I have repeatedly explained that implementation of GUA-Tainted
from the ULA-C number block would be a fine idea. As such, I'm not sure
what distinction you are seeing in GUA-Tainted from ULA-C. There must
be some depth to the on-wire security implications of address assignment
methodologies not apparent on the wire that I am not getting. Please
do enlighten me.
> But, for it to have any value over RFC1918 (i.e. NOT USING IPv6), it has
> to solve problems which RFC1918 has caused.
>
Exactly.
> Split-DNS is one of those things. (I started implementing split-DNS
> systems back in 1992... It was useable then because nobody had
> laptops. By the time it became universal for enterprises, it was
> unworkably useless, and /etc/hosts or literal IPs began to replace it)
>
Agreed.
As Is said earlier, we are, I believe, arguing over form and not substance.
In addition to the community of users who want tainted address space
(whether you call it ULA-C or GUA-Tainted), there exists a community
of users that wants non-tainted address space for networks that are
not connected now, but, may be connected at some other time or may
connect and disconnect multiple times over some time period.
My proposal is to meet BOTH sets of needs using broader GUA policies
with an ability to provide "tainted" GUA (as I said, this could _BE_ ULA-C)
to those who request it.
However, I stand by the assertion that ULA-C or GUA-Tainted being
made available on a basis which is different (easier or cheaper) from
the policies under which GUA is made available will lead to accepted
(ab)use of ULA-C/GUA-Tainted in ways which:
1. Reduce its value as distinct for security purposes
2. Reduce its value as distinct for routing purposes.
Owen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20100322/5ff4167d/attachment.htm>
More information about the ARIN-PPML
mailing list