[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Review: draft-ietf-v6ops-nap-01.txt

On Tue, Aug 23, 2005 at 10:57:18AM +0200, Gunter Van de Velde (gvandeve) wrote:
> 
> >As an aside, when you say 'topology hiding' Gunter, do you really mean
> >subnet/link topology, or the number of hosts, or...?
> 
> When i see 'topology hiding' i make a reference that an entity outside
> the network can not make any correlation between the location
> of a device and the address of a device on the local network.

OK.  Maybe add that sentence to the draft.  Start of section 2.4, add
after first sentence.
 
> This is something that can be achieved with MIP without loosing
> any of the end-to-end aspects. Same for the /128's PI addresses.
> There could be additional mechanisms, some simple, some more complex.

And at additional costs, e.g. MIPv6 some would argue breaks 'end to end'
in that you rely on a middlebox to establish communication.
 
> The draft is not to recommend usage of any of these, however it is to
> inform people that there are possibilities to achieve similar result
> without address translation. 

To me, the table in section 1 suggests that host routes and MIPv6 are the
norm for an IPv6 network.

The only reason you cite in the text for topology hiding is in section 2:

  "NAT of course entirely hides the internal
   subnet topology, which some network managers believe is a useful
   precaution to mitigate scanning attacks."

But the pure size of the address space deters 'random' port scanning anyway.

Then again in section 4:

  "What one does when topology
   probing is to get an idea of the available hosts inside an
   enterprise.  This mostly starts with a ping-sweep."

which suggests topology hiding is all about available/reachable hosts.
That should be mitigated by edge firewalls or the v6 link address space size.

I don't see any other discussion of topology hiding beyond that one issue.

> By mentioning that 'topology hiding' is
> useless, that it makes no sense and is complete brainless nonsense, well
> in that case many NAT biassed people who sincerely believe in
> the topology hiding may find IPv6 a 'too risky protocol that does not
> provide same features and functionality as IPv4 with respect to security'

Well that is their loss, but my vote is that we don't bend the text in
favour of such preconceptions, unless we hear some technically sound
reasons to do so.
 
> Don't get me wrong.. i do not believe in topology hiding myself, however
> many people do, and we have to offer alternatives and that is what the
> document is about. A potential alternate solution is to make a v6ops
> study on the value of topology hiding when using IPv6? and by that make
> disarm the motivation to make usage of either MIP, /128 or any other complex
> mechanisms.

But at present NAP says 'topology hiding' = 'host hiding' = 'port scanning
resilience via firewalls or link address size'.

I don't want to do MIPv6 or host routing for that.

Tim