[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: F1000 requirements?

To: "Fleischman, Eric" <eric.fleischman@boeing.com>,"Erik Nordmark" <Erik.Nordmark@sun.com>
Subject: RE: F1000 requirements?
From: "Soliman Hesham" <H.Soliman@flarion.com>
Date: Mon, 3 May 2004 21:53:59 -0400
Cc: "Multi6 List" <multi6@ops.ietf.org>

Eric, 

I have one question about this requirement and I hope you can 
help me understand it:

I assume F1000 companies, indeed all companies, have 
firewalls. So why is it important to hide addresses?

Hesham

 > The desire (requirement) is to have international 
 > addressability/routing without revealing the existence of 
 > internal nodes or network topology except to a select 
 > (controlled) group of outsiders -- and only then on a "need 
 > to know" basis. No conditions are placed on how this can be 
 > achieved. 
 > 
 > --Eric
 > 
 > -----Original Message-----
 > From: Erik Nordmark [mailto:Erik.Nordmark@sun.com]
 > Sent: Tuesday, April 27, 2004 7:30 AM
 > To: Fleischman, Eric
 > Cc: Multi6 List
 > Subject: F1000 requirements?
 > 
 > 
 > Eric,
 > 
 > Some clarifying questions about this to helpme understand 
 > what you see
 > as the requirements:
 > 
 > > 2) Our security people are currently enamored by NATs as a security
 > > mechanism. I am aware of what the IETF's security people 
 > think about this
 > > and I myself have worked in the real time multimedia arena 
 > since the
 > > mid-90s, so you know what I think about it (i.e., NATs 
 > hinder real time
 > > communications). But there you have it: a community that 
 > currently plans to
 > > deploy NATs regardless. What would help people like me to 
 > educate our
 > > security people would be if the IETF came up with an 
 > Informational RFC for
 > > how we can do NAT-like things without NATs within IPv6. 
 > That is, our
 > > security people use NATs as a part of a larger 
 > defense-in-depth strategy to
 > > completely hide our internal networking environment from 
 > anybody on the
 > > "outside". E.g., we don't want people on the "outside" to 
 > be able to learn
 > > the IP address of an Oracle server in a data center.
 > 
 > The example shows hiding an individual IP address which I understand
 > (and is easy to do using the larger IPv6 address space).
 > Do you also care significantly about hiding the subnet numbers i.e.
 > prevent an external entity from comparing bit 49 through 64 in two
 > of your IPv6 addresses to see if they are located on the same subnet?
 > 
 > Some multihoming proposals (such as NOID) use the DNS to provide the
 > mapping between the set of IPv6 addresses assigned to a node.
 > Would such an approach cause a problem for hiding the Oracle server
 > in your example? Couldn't the Oracle server be assigned an obfuscated
 > domain name (<very long string of random 
 > digits/characters>.example.com)
 > and only your partners would be told the domain name to use?
 > 
 >    Erik
 > 
 > 
 > 

========================================================
This email may contain confidential and privileged material for the sole
use of the intended recipient.  Any review or distribution by others is 
strictly prohibited.  If you are not the intended recipient please contact
the sender and delete all copies.
========================================================

Prev by Date: RE: F1000 requirements?
Next by Date: Fwd: I-D ACTION:draft-huston-multi6-architectures-00.txt
Previous by thread: possible additional issues for Elliot's draft (was RE: F1000 requirements?)
Next by thread: RE: F1000 requirements?
Index(es):
- Date
- Thread