[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]

To: <v6ops@ops.ietf.org>
Subject: RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
From: "John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>
Date: Tue, 5 Apr 2005 19:06:47 -0700
In-reply-to: <42528394.3090304@zurich.ibm.com>

This is a good discussion - I'm refining my views on this based on all your
comments.

-------- on edge firewalls and proxies ...

If you are proposing that an edge firewall running a stateful protocol
filter provides a good alternative to NAT, I completely agree.  By
advocating using stateful edge firewalls or port filtering, you are also
proposing breaking end-to-end, or peer-to-peer, because you are preventing
the "protected" systems from being reachable from the Internet.  Of course -
that's what you want.  Only an unprotected IPv6 node is truly peer-to-peer -
capable of being contacted by any process from any other node - which would
be crazy on today's public network.  Even with distributed (host) firewalls,
breaking end-to-end is actually a goal - just a selective goal.  I break
end-to-end for some connection types and call it "protection" - other
peer-to-peer services I allow.

IMHO, what we want to provide is "managed peer-to-peer".  With NAT, I simply
cannot provide internal nodes with peer-to-peer - I do not have enough
addresses.  With NAP, I can allow peer-to-peer selectively for any node,
allowing me to "protect them", but also "selectively expose them" - where I
expose them to be peers for other nodes I specify or specific services I
authorize.

And, to return to the "proxies" point, that is another "peer-to-peer
management tool".  I can allow a protected node to get HTTP access via a
proxy (for example), where I can use my proxy device tools (content
inspection, topology hiding, caching, policy enforcement) to enhance
security for that node.  I can also, since I have IPv6 and plenty of
addresses, implement my edge firewall rules to allow it to be a true peer of
some other nodes on the network when peer-to-peer is the way the application
works best.

Managed protection for internal nodes, use of proxies for some types of
connections, when they provide advantages, and true peer-to-peer where
that's the right connection type for a given application.

Seems like the best of both worlds to me.  

Spence

Follow-Ups:
- Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

References:
- Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
  - From: Brian E Carpenter <brc@zurich.ibm.com>

Prev by Date: Re: Tunneling and Transition Drafts
Next by Date: Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Previous by thread: Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Next by thread: Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Index(es):
- Date
- Thread