[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Review: draft-ietf-v6ops-nap-01.txt

To: "Fred Baker" <fred@cisco.com>, "chenhongfei" <chenhongfei@huawei.com>
Subject: RE: Review: draft-ietf-v6ops-nap-01.txt
From: "Christian Huitema" <huitema@windows.microsoft.com>
Date: Tue, 23 Aug 2005 09:20:32 -0700
Cc: "Eric Klein" <ericlklein@softhome.net>, <v6ops@ops.ietf.org>

> If the objective is to not have people on the outside know of the
> existence or exact value of an address, or be able to attack it by
> sending traffic to it, then a system that sends packets outside the
> net would need to change addresses periodically, but a system that
> doesn't send packets outside the network merely needs to be protected
> from accidental uses of its address.

So far, I have heard the following arguments:

1) Attack surface reduction: hosts that are not reachable at all from
the outside are less likely to be attacked.

2) Protection against enumeration: even if hosts are reachable, making
their address hard to guess provides protection against systematic
attacks such as worms or port scanning.

3) Protection against topology analysis: if the address cannot be
correlated with a particular enterprise department, attackers have a
harder time figuring out which department is active, or a good target.

The solution to number 1 is to provide those hosts that are not meant to
be reachable with addresses that are explicitly filtered at the entry
points of the organization's network. ULA would do, but are not
necessary: any subnet prefix can be filtered. The simple solution is to
connect unreachable hosts to an unreachable link. If one must mix
reachable and unreachable hosts on the same link, then one has to either
forgo the protection, or manage two different subnet prefixes for the
same link.

The solution to number 2 is well documented in the draft.

Problem number 3 only occurs in some networks. It is not an issue if the
network is entirely switched (single link), or if the enterprise does
not care about hiding its topology. Only then are solutions like flat
routing or MIP6 useful. 

One could make a strong case that topology can be discovered anyhow from
analysis of the application traffic, email addresses, web proxy
selection and other hints. One could easily argue that the supposed
protections are futile. But that amounts to "fighting your customers",
which is not a very rewarding exercise.

-- Christian Huitema

Prev by Date: RE: New draft: "Link Adaptation for IPv6-in-IPv4 Tunnels"
Next by Date: Re: Review: draft-ietf-v6ops-nap-01.txt
Previous by thread: Re: Review: draft-ietf-v6ops-nap-01.txt
Next by thread: Teredo and draft-davies-v6ops-icmpv6-filtering-bcp-00
Index(es):
- Date
- Thread