Re: [fw-wiz] Off topic: Any one know of a good IPV6 reference book?

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 07/30/03

  • Next message: Yinal Ozkan: "RE: [fw-wiz] Sync Firewall Policy (Checkpoint NG FP2)"
    To: Jonn Martell <jonn.martell@ubc.ca>
    Date: Wed, 30 Jul 2003 10:26:00 -0400
    
    

    I'm going to try to wrench this topic back to security, after
    having taken a heavy-handed swat at the standards geeks. ;)

    Jonn Martell wrote:
    >Doesn't V6 allow for end-to-end encryption and authentication?

    Well, if that's what you want, why not use the (various) IPV4
    ESP and AH implementations? Or SSH/SSL?

     From a meta-level, before you throw encryption into a security
    solution, ask yourself "what am I trying to accomplish?" I happen
    to believe that adding crypto into your network layer is pointless.
    Basically, all it gives you is node-to-node trust. Node-to-node
    trust is not exactly great, viz: .rhosts, NFS - they don't work
    very well in environments where an untrusted user can gain
    even a small toe-hold. People are just now *starting* to realize
    that VPNs have a transitive trust problem. Node-to-node does
    not address transitive trust effectively. IMO. If crypto is the answer,
    what is the question?

    But if crypto is what you need, you can field it virtually instantly
    using app-space crypto. Switching your whole network architecture
    over just to get the same benefits you can get with SSH/SSL
    seems like a lot of work to go through to avoid having to install
    a single app on your client or server.

    >That would solve a lot of issues for secure networks.

    I really believe that IP crypto does not actually solve any
    significant security problem in a compelling or useful manner.

    > And with the cap off addresses, it should make thing very interesting.

    If by "interesting" you mean "unmanageable" I've got to agree. :)

    What frustrates me about the whole IPV6 thing is that the nominal
    reason for it was because of the address space issues. But there
    were so many simpler options available that nobody wanted to
    take because, frankly, everyone wanted to be part of the fun of
    making up the next big standard. Which was *exactly* the
    mindset that made the ISO protocols a slowly-developing
    trainwreck. Suggestions for simpler (and equally effective)
    approaches were shot down because implementing them would
    have been less *fun*. My favorite was my buddy Andrew's
    idea: quadruple the address space size, left-fill with zeroes,
    bump the version number, and use GPS coordinates on the
    left side of the address so that each individual square foot
    of the planet had its own class C network. Of course you'd
    need to re-do the routing infrastructure but you'll have to do
    that with V6 anyhow... Or just double the address space,
    bump the version, and left-fill with CIDR-style addresses
    and let Moore's law take care of the backbone router
    capacity issues. ..

    Anyhow, there were approaches to the address space
    problem that were never investigated by the standards
    priesthood because, well, they didn't give people a chance
    to write gnarly code and re-design packet headers. Remember,
    these standards guys are the same guys who called
    SNMP "Simple..." their idea of a good time does not
    produce efficient, effective real-world solutions.

    > It will change the Internet so that unauthenticated traffic will get a different class of service.

    No, it won't. Why? Because if that was going to happen, it would have
    happened already. The technical underpinnings to do that already
    exist; yet nobody is doing it. Most of the traffic on the Internet is
    unauthenticated!! The trust model won't be much better than if you
    just went into a load balancer and prioritized SSL, SSH, and known
    IP addresses as higher priority than anything else. We can do that
    today, but we don't - because it wouldn't make much difference and
    it's a pain to manage.

    >NAT was a hack and although it works fine for small environments it falls apart for large user networks. The lack of auditing is pure nightmare for tracking down abuse from the inside in a large network.

    NAT is an appalling hack. NAT is an abomination. But I won't
    apolgize for it. When I first started building firewalls, I NATed
    networks not in order to save IP addresses, but because most
    companies had existing networks with existing address ranges
    and didn't want to re-address their whole infrastructure just to
    get on the Internet. Does that sound familiar? My guess is that
    the same logic will keep a lot of organizations from re-addressing
    just to get the intangible benefits of IPV6. It wasn't until the mid
    1990's that IP addresses became a commodity and ISPs started
    shoving NAT down their customers' throats. But now everyone
    already has networks. Unless someone can show that IPV6
    is going to solve some problem that is SO VALUABLE it
    justifies rebuilding networks. NAT + inertia is gonna kill IPV6...

    >I applaud the DOD efforts, they created the Internet and I have no doubt that mandating V6 will tip the scales for adoption. They did this in early 80 with IP, they'll do it again.

    It depends on the degree of the mandate. You may call my cynical
    but I lived through "C2 by '92" and I don't believe that mandates mean
    anything unless they are enforced and enforceable.

    >PS This is the first time that I find myself disagreeing with Marcus...

    You're in good company, if you do!!! :) Most of the smartest
    people I know disagree with me about something or other!! :)
    It's a badge of distinction! :)

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Yinal Ozkan: "RE: [fw-wiz] Sync Firewall Policy (Checkpoint NG FP2)"