[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

F1000 requirements?



Eric,

Some clarifying questions about this to helpme understand what you see
as the requirements:

> 2) Our security people are currently enamored by NATs as a security
> mechanism. I am aware of what the IETF's security people think about this
> and I myself have worked in the real time multimedia arena since the
> mid-90s, so you know what I think about it (i.e., NATs hinder real time
> communications). But there you have it: a community that currently plans to
> deploy NATs regardless. What would help people like me to educate our
> security people would be if the IETF came up with an Informational RFC for
> how we can do NAT-like things without NATs within IPv6. That is, our
> security people use NATs as a part of a larger defense-in-depth strategy to
> completely hide our internal networking environment from anybody on the
> "outside". E.g., we don't want people on the "outside" to be able to learn
> the IP address of an Oracle server in a data center.

The example shows hiding an individual IP address which I understand
(and is easy to do using the larger IPv6 address space).
Do you also care significantly about hiding the subnet numbers i.e.
prevent an external entity from comparing bit 49 through 64 in two
of your IPv6 addresses to see if they are located on the same subnet?

Some multihoming proposals (such as NOID) use the DNS to provide the
mapping between the set of IPv6 addresses assigned to a node.
Would such an approach cause a problem for hiding the Oracle server
in your example? Couldn't the Oracle server be assigned an obfuscated
domain name (<very long string of random digits/characters>.example.com)
and only your partners would be told the domain name to use?

   Erik