[arin-ppml] IPv6 Non-connected networks
William Herrin
bill at herrin.us
Tue Mar 23 14:24:06 EDT 2010
On Mon, Mar 22, 2010 at 7:01 PM, Owen DeLong <owen at delong.com> wrote:
> On Mar 22, 2010, at 3:34 PM, Chris Engel wrote:
>> Owen Delong wrote:
>> # ULA-C isn't going to be blocks which don't work on the internet. It's
>> # going to be blocks which people expect not to work on the internet, but,
>> # really they do under some circumstances. End result, a false sense of security which is
>> # worse than no security.
>>
>> # NAT != Security
>> # Address Obfuscation != Security
>> # Misconfiguration == Insecurity
>>
>> # Belief otherwise merely increases risk.
>>
>>
>> I've got to take some issue with your above statements Owen. NAT and Address Obfuscation ARE security mechanisms (albiet not fool-proof ones, but I've yet to see a fool-proof mechanism). Most Enterprise Admins I know commonly regard them as such...MOST dedicated IT Security people I've talked to regard them as such. PCI reg's require them as such... and pretty much every security audit I've been through that involves a regulated industry (Financial, Health, etc) has included them as such.
>>
> Nope... Stateful inspection is a security mechanism. NAT and Address Obfuscation are crutches which most people use to make sure that Stateful Inspection is working because they cannot work without it.
>
> The mere fact that this myth is wide spread among things like PCI does not make it any more accurate.
No offense Owen, but you're talking out the wrong hole on this one.
Security devices which tend to fail closed are more secure than
devices which tend to fail open. Firewalls fail towards being routers.
It's the nature of TCP/IP - all but the most trivial of hosts are also
capable of being routers. With translation in effect, that failure
process renders the system non-operational and is immediately
noticeable. Without translation the failure process renders the system
open to attack and won't be promptly noticed since everything expected
to work still does.
It's part and parcel to TCP/IP's basic architecture, an architecture
that hasn't appreciably changed in IPv6.
> not valid. As such, I would rather see us implement a one-policy, one-
> price strategy for both tainted and non-tainted addresses and have
> the RIRs issuing both types than have some other system outside of
> the RIRs develop for the administration of tainted addresses.
Because "one size fits all" works so well in general and the needs of
the non-connected or privately interconnected network are so obviously
identical to the needs of the Internet-connected network.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
More information about the ARIN-PPML
mailing list