Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)

• Previous message: Stephen Sprunk: "Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)"
• In reply to: Iljitsch van Beijnum: "Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)"
• Next in thread: Mark Newton: "Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thus spake "Iljitsch van Beijnum" <>
> On 2-okt-2007, at 15:05, Adrian Chadd wrote:
>> Please explain how you plan on getting rid of those protocol-
>> aware plugins when IPv6 is widely deployed in environments
>> with -stateful firewalls-.
>
> You just open up a hole in the firewall where appropriate.
>
> You can have an ALG, the application or the OS do this. As you probably
> know by now, I don't favor the ALG approach.

You obviously have no experience working in security. You can't trust the
OS (Microsoft? hah!), you can't trust the application (malware), and you
sure as heck can't trust the user (industrial espionage and/or social
engineering). The only way that address-embedding protocols can work
through a firewall, whether it's doing NAT or not, is to use an ALG.

The defense and healthcare industries will force vendors to write those ALGs
(actually, make minor changes to existing ones) if they care about the
protocols in question because they have no choice -- security is the law.
And, once those ALGs are available, everyone else will use them.

Even for home users, most have zero clue how to "open a hole" in their home
firewall. Consumer OSes are far, far too insecure to let them sit exposed
without a firewall by default (you can't even patch a Windows system before
it's hacked), and we can't trust end users not to run malware that will open
holes for them.

>> End-to-end-ness is and has be-en "busted" in the corporate
>> world AFAICT for a number of years. IPv6 "people" seem to
>> think that simply providing globally unique addressing to all
>> endpoints will remove NAT and all associated trouble. Guess
>> what - it probably won't.
>
> If you don't want end-to-end, be a man (or woman) and use a
> proxy. Don't tell the applications they they are connected to the
> rest of the world and then pull the rug from under them. This
> works in IPv4 today but don't expect this to carry over to IPv6.
> At least not without a long, bloody fight.

If you think anyone will be deploying v6 without a stateful firewall, you're
delusional. That battle is long over. The best we can hope for is that
those personal firewalls won't do NAT as well.

S

Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

• Previous message: Stephen Sprunk: "Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)"
• In reply to: Iljitsch van Beijnum: "Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)"
• Next in thread: Mark Newton: "Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]