Re: Creating demand for IPv6

[Mark Smith <nanog () 85d5b20a518b8f6864949bd940457dc124746ddc nosense org>]

On Tue, 2 Oct 2007 23:20:54 -0400
"William Herrin" <herrin-nanog () dirtside com> wrote:

> On 10/2/07, Randy Bush <randy () psg com> wrote:
> > > During early phase of free pool exhaustion, when you can't deliver
> > > more IPv4 addresses to your customers you lose the customer to a
> > > hosting provider who still has addresses left. So sorry. Those will be
> > > some nasty years. Unless you're Cogent, Level3 or one of the others
> > > sitting pretty on a /8. They'll be in phat city.
> >
> > this is a very real and significant problem.  a very small fraction of
> > the arin membership holds the vast majority of the address space.  it
> > would be interesting to ask arin to give us the cdf of this.
<snip>

> I'd love to have an Internet where all firewalls were packet filters.
> But that's not my call. That's the call of hundreds of thousands of
> network security officers who have NAT written in stone at the core of
> their security process. Tying NAT's abandonment to IPv6's deployment
> won't change their minds but it will doom IPv6.

The value of network perimeterisation as a security measure, of which
NAT is a method, is being questioned significantly by network security
people. The obvious example of why it is being questioned is when the
CEO brings their laptop inside the "gooey" centre, bypassing the "hard
shell" corporate firewalling/NAT box, and infecting all the devices on
the corporate network with the malware they've caught from their home
broadband connection.

"The de-perimeterization solution Solution

While traditional security solutions like network boundary technology
will continue to have their roles, we must respond to their
limitations. In a fully de-perimeterized network, every component will
be independently secure, requiring systems and data protection on
multiple levels, using a mixture of

    * encryption
    * inherently-secure computer protocols
    * inherently-secure computer systems
    * data-level authentication"

http://www.opengroup.org/jericho/

Having found out about this project, I spoke to a friend of mine in the
local state government (around 10 000+ public servants) i.e. not a big
one, not a prominent one, and not likely to be a early adopter of
different IT security models. They're moving to this model in the very
near future, because they have to.

> > So if more addresses was "thoroughly mitigated by NAT", when were these
> > problems that NAT creates fixed?
> > http://www.cs.utk.edu/~moore/what-nats-break.html
>
> Many of those never were meaningful problems and most of the rest have
> been obsoleted by the changing reality of network security on the
> Internet. Things like controlling the source port meant something once
> upon a time, but they have no place in a modern security
> infrastructure. That would be true with or without NAT.
>
> The -real- problems with NAT can be summed up in two statements:
>
> 1. NAT makes it more difficult to engage in certain popular activities
> that strictly speaking are against the TOS.
>
> 2. NAT makes logging and accountability more difficult.
>
> Regards,
> Bill Herrin
>
>
>
> -- 
> William D. Herrin                  herrin () dirtside com  bill () herrin us
> 3005 Crane Dr.                        Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004


-- 

        "Sheep are slow and tasty, and therefore must remain constantly
         alert."
                                   - Bruce Schneier, "Beyond Fear"