Re: Enterprise Analysis DSTM Issue

[Tim Chown <tjc@ecs.soton.ac.uk>]

On Thu, Aug 11, 2005 at 11:07:16AM +0200, Kurt Erik Lindqvist wrote:
> 
> (this is somewhat off-topic I guess)
> 
> On 10 aug 2005, at 15.12, Tim Chown wrote:
> 
> >I think for the majority of cases/networks that's true.  But I have  
> >spoken
> >to people recently who believe (conventional) dual-stack adds to  
> >security
> >complexity, and they'd like to run one protocol only.
> 
> 
> I must miss something here. In what way would these people think the  
> security model differed from any other tunnelling model for security?  
> I.e the payload is the payload is the payload, and from my experience  
> that is what is hard to secure...the only way to protect them then is  
> to either leave out the v4 Internet (which might not be a bad idea  
> from security POV :-) or do translation?

Sorry if I was not being as clear as I could be.

There's some overlap betweeen DSTM and conventional dual stack in this 
discussion.  I'm saying that some (UK) people have mentioned to me that they
do not want to run dual-stack because they believe it adds complexity to 
security, and thus would want to run IPv6 only, or at least IPv6-only network 
infrastructure.  Given the latter, if they have some dual-stack hosts,
something DSTM-like in functionality may be required.  They are also 
evaluating NAT-PT, etc in light of this.

The concern expressed was the fact that two protocols are in use, and both
need to be secured, mainly with consistent policies and with some IPv6
specific policies.

I'm not saying I agree with that assessment (which is why we run conventional
dual-stack on our 1,000+ node network here) but the requirement seems to be
there.  Maybe it's an education issue like NAP.

Of course, the DSTM-like protocol and NAT-PT have their own security 
implications...

-- 
Tim/::1