Re: Enterprise Analysis DSTM Issue

[Pekka Savola <pekkas@netcore.fi>]

On Thu, 11 Aug 2005, Tim Chown wrote:
> There's some overlap betweeen DSTM and conventional dual stack in this
> discussion.  I'm saying that some (UK) people have mentioned to me that they
> do not want to run dual-stack because they believe it adds complexity to
> security, and thus would want to run IPv6 only, or at least IPv6-only network
> infrastructure.  Given the latter, if they have some dual-stack hosts,
> something DSTM-like in functionality may be required.  They are also
> evaluating NAT-PT, etc in light of this.
>
> The concern expressed was the fact that two protocols are in use, and both
> need to be secured, mainly with consistent policies and with some IPv6
> specific policies.

So, if I get this correctly, the fear is about attacks on the 
network infrastructure (routers, etc.), not on the end hosts ?

Because as long as you WILL have v6 connectivity through [v4-in-v6 
tunneling] on the end hosts, you will STILL have the same security 
problems?  You've just shifted them around to a different place in the 
topology.

But if the assumption is that an enterprise/university could run 
entirely v6-only core (routers, switches, what have you, without 
[v4-in-v6 tunneling] for their management or whatever), yes, there 
might be small differences.

My assumption has always been that the network admins should be 
capable of secuiring the routers, switches, etc. properly (in any 
case, the same degree they could do so with v6), but maybe my optimism 
isn't shared everywhere..

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings