[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: F1000 requirements?

To: "Erik Nordmark" <Erik.Nordmark@sun.com>
Subject: RE: F1000 requirements?
From: "Fleischman, Eric" <eric.fleischman@boeing.com>
Date: Mon, 3 May 2004 09:26:46 -0700
Cc: "Multi6 List" <multi6@ops.ietf.org>

Erik,

The desire (requirement) is to have international addressability/routing without revealing the existence of internal nodes or network topology except to a select (controlled) group of outsiders -- and only then on a "need to know" basis. No conditions are placed on how this can be achieved. 

--Eric

-----Original Message-----
From: Erik Nordmark [mailto:Erik.Nordmark@sun.com]
Sent: Tuesday, April 27, 2004 7:30 AM
To: Fleischman, Eric
Cc: Multi6 List
Subject: F1000 requirements?

Eric,

Some clarifying questions about this to helpme understand what you see
as the requirements:

> 2) Our security people are currently enamored by NATs as a security
> mechanism. I am aware of what the IETF's security people think about this
> and I myself have worked in the real time multimedia arena since the
> mid-90s, so you know what I think about it (i.e., NATs hinder real time
> communications). But there you have it: a community that currently plans to
> deploy NATs regardless. What would help people like me to educate our
> security people would be if the IETF came up with an Informational RFC for
> how we can do NAT-like things without NATs within IPv6. That is, our
> security people use NATs as a part of a larger defense-in-depth strategy to
> completely hide our internal networking environment from anybody on the
> "outside". E.g., we don't want people on the "outside" to be able to learn
> the IP address of an Oracle server in a data center.

The example shows hiding an individual IP address which I understand
(and is easy to do using the larger IPv6 address space).
Do you also care significantly about hiding the subnet numbers i.e.
prevent an external entity from comparing bit 49 through 64 in two
of your IPv6 addresses to see if they are located on the same subnet?

Some multihoming proposals (such as NOID) use the DNS to provide the
mapping between the set of IPv6 addresses assigned to a node.
Would such an approach cause a problem for hiding the Oracle server
in your example? Couldn't the Oracle server be assigned an obfuscated
domain name (<very long string of random digits/characters>.example.com)
and only your partners would be told the domain name to use?

   Erik

Prev by Date: Hidden message
Next by Date: Re: Incoming Message
Previous by thread: Hidden message
Next by thread: RE: F1000 requirements?
Index(es):
- Date
- Thread