Re: [fw-wiz] IPv6 redo;;
From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 09/17/04
- Previous message: Jim Seymour: "Re: [fw-wiz] About Port Forwarding, Apache and Firewall Rules"
- Maybe in reply to: R. DuFresne: "[fw-wiz] IPv6 redo;;"
- Next in thread: R. DuFresne: "Re: [fw-wiz] IPv6 redo;;"
- Reply: R. DuFresne: "Re: [fw-wiz] IPv6 redo;;"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "R. DuFresne" <dufresne@sysinfo.com>, "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com> Date: Fri, 17 Sep 2004 10:05:05 -0400
R. DuFresne wrote:
>1. how are firewalls going to deal with IPv6 addressing? Or, will IPv6
>negate the need for firewalling and push everything into encryption
>boundries?
I don't think network-level crypto is going to solve any
interesting problems (and may create new ones) so it
won't ever become pervasive. This is especially the case,
in my opinion, because in the last few years most of the
apps that "need" security have added tunnelling over
SSL or other crypto as an option. The place where
host-to-host crypto is attractive is between hosts that
have some kind of pre-established trust relationship.
I.e.: more like a VPN member than an E-commerce
transaction. My guess is that the vast majority of
crypto in use on the Internet today is more the transactional
type in which individuals are temporarily establishing
secured connections between machines that don't
really "know eachother" well enough to justify establishing
a full trust boundary between them. The only way I see
IPv6 crypto becoming pervasive is if it's so ridiculously
easy to set up and it's turned on by default, that nobody
notices it's there and working. What's the likelihood of
that?
I guess the short form of what I just said is, "the IETF
took too long, and that particular problem is being
addressed in an ad hoc manner and the installed base
will rule."
>2. icmp redirects, are they still a danger in the IPv6 realm such as they
>were and are in traditional TCP/IP?
I'd love to know the answer to this one, too. ;)
I'm comfortable assuming that there will be whole new kinds
of attacks to discover. If options and features convert into
vulnerabilities and opportunities for DOS at the usual rate,
IPv6 is going to be a fertile playground for hackers.
mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jim Seymour: "Re: [fw-wiz] About Port Forwarding, Apache and Firewall Rules"
- Maybe in reply to: R. DuFresne: "[fw-wiz] IPv6 redo;;"
- Next in thread: R. DuFresne: "Re: [fw-wiz] IPv6 redo;;"
- Reply: R. DuFresne: "Re: [fw-wiz] IPv6 redo;;"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
