[arin-ppml] IPv6 Non-connected networks
mcr at sandelman.ca
Mon Mar 22 20:48:52 EDT 2010
>>>>> "Chris" == Chris Engel <cengel at sponsordirect.com> writes:
Chris> Owen Delong wrote:
Chris> # ULA-C isn't going to be blocks which don't work on the
Chris> internet. It's # going to be blocks which people expect not
Chris> to work on the internet, but, # really they do under some
Chris> circumstances. End result, a false sense of security which
Chris> is # worse than no security.
Chris> # NAT != Security # Address Obfuscation != Security #
Chris> Misconfiguration == Insecurity
Chris> # Belief otherwise merely increases risk.
Chris> I've got to take some issue with your above statements
Chris> Owen. NAT and Address Obfuscation ARE security mechanisms
Chris> (albiet not fool-proof ones, but I've yet to see a fool-proof
This is what security experts (LIKE MYSELF) call:
I regularly argue with these johnny-come-lately security "experts",
because they rarely understand the tradeoffs of each layer of security.
The major advantage of ULA-C is that is provides a much better way to
audit what is what, particularly when there are multiple organizations
connecting together in various ways.
It also permits sane auditing of multiple remote-access connections from
laptops/etc. for visiting consultants, etc.
ULA-C for NCN is much more robust than "tainted" GUA as far as failing
But, for it to have any value over RFC1918 (i.e. NOT USING IPv6), it has
to solve problems which RFC1918 has caused.
Split-DNS is one of those things. (I started implementing split-DNS
systems back in 1992... It was useable then because nobody had
laptops. By the time it became universal for enterprises, it was
unworkably useless, and /etc/hosts or literal IPs began to replace it)
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
More information about the ARIN-PPML