[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."

To: <v6ops@ops.ietf.org>
Subject: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
From: "John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>
Date: Wed, 16 Mar 2005 19:21:38 -0800

This draft does a great job of summarizing why engineered network security
(NAP) is much better than side-effect security (NAT).

There are probably a few places to expand upon the discussion of proxy
servers within a NAP-based security program.  NAT and proxies are not the
just the same thing at different levels of the ISO stack.  NAT does simple
address translation, whereas proxy implementations - especially in larger
enterprises - do much more, including caching, L4-L7 security functions, and
policy enforcement.  Proxies also do a great job of topology hiding.

A realistic model for an enterprise might be:

1) Give internal-use only devices ULA addresses - no individual host or
topology information leaks to the public network

2) Give clients that only need "commodity" public network access (via HTTP
or FTP or other proxy-friendly applications) also get ULA addresses - again
no host (except the proxy servers themselves) or topology information
(except the proxy server subnet) leaks to the Internet.  This should be -
especially in the near to mid-term - the bulk of the Internet traffic.

3) Give servers and clients needing peer-to-peer capability routable
addresses, and use one of the mechanisms proposed in the document to provide
host and topology hiding.

This strategy strikes a balance between providing true peer-to-peer
capability for hosts with address and topology hiding for most applications
- it reduces the number of nodes that need to use mobileIP or host route
injection mechanisms in order to protect the enterprise.

The draft touches on proxy servers in 2.4.  Perhaps an expanded discussion
of the benefits of proxy services would be appropriate in 5.1 - the case
study for medium and large private networks.

John Spence
----------------------------------------------------
John Spence, Native6, Inc.
IPv6 Training and Consulting
jspenceNOSPAM@native6.com
www.native6.com
----------------------------------------------------

Follow-Ups:
- Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

Prev by Date: RE: WG last call on NAT-PT to Experimental
Next by Date: Re: Sample
Previous by thread: RFC 4038 on Application Aspects of IPv6 Transition
Next by thread: Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
Index(es):
- Date
- Thread