[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
This is a good discussion - I'm refining my views on this based on all your
comments.
-------- on edge firewalls and proxies ...
If you are proposing that an edge firewall running a stateful protocol
filter provides a good alternative to NAT, I completely agree. By
advocating using stateful edge firewalls or port filtering, you are also
proposing breaking end-to-end, or peer-to-peer, because you are preventing
the "protected" systems from being reachable from the Internet. Of course -
that's what you want. Only an unprotected IPv6 node is truly peer-to-peer -
capable of being contacted by any process from any other node - which would
be crazy on today's public network. Even with distributed (host) firewalls,
breaking end-to-end is actually a goal - just a selective goal. I break
end-to-end for some connection types and call it "protection" - other
peer-to-peer services I allow.
IMHO, what we want to provide is "managed peer-to-peer". With NAT, I simply
cannot provide internal nodes with peer-to-peer - I do not have enough
addresses. With NAP, I can allow peer-to-peer selectively for any node,
allowing me to "protect them", but also "selectively expose them" - where I
expose them to be peers for other nodes I specify or specific services I
authorize.
And, to return to the "proxies" point, that is another "peer-to-peer
management tool". I can allow a protected node to get HTTP access via a
proxy (for example), where I can use my proxy device tools (content
inspection, topology hiding, caching, policy enforcement) to enhance
security for that node. I can also, since I have IPv6 and plenty of
addresses, implement my edge firewall rules to allow it to be a true peer of
some other nodes on the network when peer-to-peer is the way the application
works best.
Managed protection for internal nodes, use of proxies for some types of
connections, when they provide advantages, and true peer-to-peer where
that's the right connection type for a given application.
Seems like the best of both worlds to me.
Spence