Re: [fw-wiz] Off topic: Any one know of a good IPV6 reference book?
From: Marcus J. Ranum (mjr_at_ranum.com)
To: Jonn Martell <firstname.lastname@example.org> Date: Wed, 30 Jul 2003 10:26:00 -0400
I'm going to try to wrench this topic back to security, after
having taken a heavy-handed swat at the standards geeks. ;)
Jonn Martell wrote:
>Doesn't V6 allow for end-to-end encryption and authentication?
Well, if that's what you want, why not use the (various) IPV4
ESP and AH implementations? Or SSH/SSL?
From a meta-level, before you throw encryption into a security
solution, ask yourself "what am I trying to accomplish?" I happen
to believe that adding crypto into your network layer is pointless.
Basically, all it gives you is node-to-node trust. Node-to-node
trust is not exactly great, viz: .rhosts, NFS - they don't work
very well in environments where an untrusted user can gain
even a small toe-hold. People are just now *starting* to realize
that VPNs have a transitive trust problem. Node-to-node does
not address transitive trust effectively. IMO. If crypto is the answer,
what is the question?
But if crypto is what you need, you can field it virtually instantly
using app-space crypto. Switching your whole network architecture
over just to get the same benefits you can get with SSH/SSL
seems like a lot of work to go through to avoid having to install
a single app on your client or server.
>That would solve a lot of issues for secure networks.
I really believe that IP crypto does not actually solve any
significant security problem in a compelling or useful manner.
> And with the cap off addresses, it should make thing very interesting.
If by "interesting" you mean "unmanageable" I've got to agree. :)
What frustrates me about the whole IPV6 thing is that the nominal
reason for it was because of the address space issues. But there
were so many simpler options available that nobody wanted to
take because, frankly, everyone wanted to be part of the fun of
making up the next big standard. Which was *exactly* the
mindset that made the ISO protocols a slowly-developing
trainwreck. Suggestions for simpler (and equally effective)
approaches were shot down because implementing them would
have been less *fun*. My favorite was my buddy Andrew's
idea: quadruple the address space size, left-fill with zeroes,
bump the version number, and use GPS coordinates on the
left side of the address so that each individual square foot
of the planet had its own class C network. Of course you'd
need to re-do the routing infrastructure but you'll have to do
that with V6 anyhow... Or just double the address space,
bump the version, and left-fill with CIDR-style addresses
and let Moore's law take care of the backbone router
capacity issues. ..
Anyhow, there were approaches to the address space
problem that were never investigated by the standards
priesthood because, well, they didn't give people a chance
to write gnarly code and re-design packet headers. Remember,
these standards guys are the same guys who called
SNMP "Simple..." their idea of a good time does not
produce efficient, effective real-world solutions.
> It will change the Internet so that unauthenticated traffic will get a different class of service.
No, it won't. Why? Because if that was going to happen, it would have
happened already. The technical underpinnings to do that already
exist; yet nobody is doing it. Most of the traffic on the Internet is
unauthenticated!! The trust model won't be much better than if you
just went into a load balancer and prioritized SSL, SSH, and known
IP addresses as higher priority than anything else. We can do that
today, but we don't - because it wouldn't make much difference and
it's a pain to manage.
>NAT was a hack and although it works fine for small environments it falls apart for large user networks. The lack of auditing is pure nightmare for tracking down abuse from the inside in a large network.
NAT is an appalling hack. NAT is an abomination. But I won't
apolgize for it. When I first started building firewalls, I NATed
networks not in order to save IP addresses, but because most
companies had existing networks with existing address ranges
and didn't want to re-address their whole infrastructure just to
get on the Internet. Does that sound familiar? My guess is that
the same logic will keep a lot of organizations from re-addressing
just to get the intangible benefits of IPV6. It wasn't until the mid
1990's that IP addresses became a commodity and ISPs started
shoving NAT down their customers' throats. But now everyone
already has networks. Unless someone can show that IPV6
is going to solve some problem that is SO VALUABLE it
justifies rebuilding networks. NAT + inertia is gonna kill IPV6...
>I applaud the DOD efforts, they created the Internet and I have no doubt that mandating V6 will tip the scales for adoption. They did this in early 80 with IP, they'll do it again.
It depends on the degree of the mandate. You may call my cynical
but I lived through "C2 by '92" and I don't believe that mandates mean
anything unless they are enforced and enforceable.
>PS This is the first time that I find myself disagreeing with Marcus...
You're in good company, if you do!!! :) Most of the smartest
people I know disagree with me about something or other!! :)
It's a badge of distinction! :)
firewall-wizards mailing list