[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-nap-04

To: "Gunter Van de Velde (gvandeve)" <gvandeve@cisco.com>
Subject: Re: draft-ietf-v6ops-nap-04
From: Brian E Carpenter <brc@zurich.ibm.com>
Date: Thu, 02 Nov 2006 13:58:17 +0100
Cc: Margaret Wasserman <margaret@thingmagic.com>, v6ops@ops.ietf.org, Jari Arkko <jari.arkko@piuha.net>
In-reply-to: <2C9EA52903BE104EB172E2DB1FD48D9D01867D65@xmb-ams-331.emea.cisco.com>
Organization: IBM
References: <2C9EA52903BE104EB172E2DB1FD48D9D01867D65@xmb-ams-331.emea.cisco.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

As Fred has pointed out, NAT is functionally
equivalent to a stateful firewall. What we can say is:

NAT provides exactly the same level of security as a stateful
firewall, and no more. Therefore, IPv6 users behind a stateful
firewall are entitled to exactly the same feeling of security
as users behind an IPv4 NAT; no more and no less.

   Brian


Gunter Van de Velde (gvandeve) wrote:

I was wondering on the message we agree upon here for this particular
point, so we can work on a re-write?

<>
NAT does provide a feeling of security that should not be there, however
with IPv6 people will receive more indicative signals on more secure
topologies for their infrastructure/applications/OperatingSoftware?
<>

G/


-----Original Message-----
From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On
Behalf Of Brian E Carpenter
Sent: Wednesday, November 01, 2006 4:50 PM
To: Margaret Wasserman
Cc: v6ops@ops.ietf.org; Jari Arkko
Subject: Re: draft-ietf-v6ops-nap-04

Margaret Wasserman wrote:

Hi Brian,

On Oct 31, 2006, at 6:07 AM, Brian E Carpenter wrote:

the right place to define a new untraceable addressing mechanim.



It certainly can't purport to be a formal spec. But removing it would

leave a hole. Would you be OK with adding some clear disclaimer textsaying that it is not a formal spec?
I can live with that.
>   o  On a local network, any user will have more security


awareness.

>      This awareness will motivate the usage of simple firewall
>      applications/devices to be inserted on the border between

the

>      external network and the local (or home network) as there


is no

>      Address Translator and hence no false safety perception.
[Substantive] IPv6 will not make users have more security awareness.
When we say something like this, we are emitting the same type ofmarketing hype that we deride in the vendors of NAT products. Thisbullet should just be omitted.
Yes, it's a bit slack, and naive about the way real users behave.
Based on your indication that there are two issues that you are notgoing to fix, I gather you aren't going to fix this one, even thoughyou agree that it is slack and naive? Why not?



That's really not what I meant. I think this text does need fixing.
I'm a bit reluctant to delete it because I think there is a nugget of
value in there. But we authors need to get together; I can't speak for
the others.

     Brian

Follow-Ups:
- Re: draft-ietf-v6ops-nap-04
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>

References:
- RE: draft-ietf-v6ops-nap-04
  - From: "Gunter Van de Velde \(gvandeve\)" <gvandeve@cisco.com>

Prev by Date: RE: draft-ietf-v6ops-nap-04
Next by Date: Re: draft-ietf-v6ops-nap-04
Previous by thread: RE: draft-ietf-v6ops-nap-04
Next by thread: Re: draft-ietf-v6ops-nap-04
Index(es):
- Date
- Thread