From owner-freebsd-net@FreeBSD.ORG Thu Oct 23 14:25:57 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADAD516A4B3 for ; Thu, 23 Oct 2003 14:25:57 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1D8A43FBD for ; Thu, 23 Oct 2003 14:25:56 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id h9NLPt9H023880; Thu, 23 Oct 2003 14:25:55 -0700 (PDT) Received: from mac.com (dpvc-68-161-244-25.ny325.east.verizon.net [68.161.244.25]) (authenticated bits=0)h9NLPjbn016832; Thu, 23 Oct 2003 14:25:54 -0700 (PDT) Date: Thu, 23 Oct 2003 17:25:42 -0400 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) To: net@freebsd.org From: Charles Swiger In-Reply-To: <20031023194350.GA9424@pit.databus.com> Message-Id: <74B738D2-059F-11D8-92E1-003065ABFD92@mac.com> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) cc: Barney Wolff Subject: Thoughts on IPv6, was: Re: Help Broadcasting a UDP packet on the LAN:URGENT X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 21:25:57 -0000 On Thursday, October 23, 2003, at 03:43 PM, Barney Wolff wrote: > My expectation is the same as yours, but I strongly believe that > anyone doing a new design that deliberately ignores IPv6 is being very > shortsighted. "Quite some time" is now only years, not decades. It might be useful to consider another perspective on IPv6: Begin forwarded message: > From: "Marcus J. Ranum" > Date: Wed Jul 30, 2003 10:26:00 AM America/New_York > To: Jonn Martell > Cc: firewall-wizards@honor.icsalabs.com > Subject: Re: [fw-wiz] Off topic: Any one know of a good IPV6 reference > book? > > I'm going to try to wrench this topic back to security, after > having taken a heavy-handed swat at the standards geeks. ;) > > Jonn Martell wrote: >> Doesn't V6 allow for end-to-end encryption and authentication? > > Well, if that's what you want, why not use the (various) IPV4 > ESP and AH implementations? Or SSH/SSL? > > From a meta-level, before you throw encryption into a security > solution, ask yourself "what am I trying to accomplish?" I happen > to believe that adding crypto into your network layer is pointless. > Basically, all it gives you is node-to-node trust. Node-to-node > trust is not exactly great, viz: .rhosts, NFS - they don't work > very well in environments where an untrusted user can gain > even a small toe-hold. People are just now *starting* to realize > that VPNs have a transitive trust problem. Node-to-node does > not address transitive trust effectively. IMO. If crypto is the answer, > what is the question? > > But if crypto is what you need, you can field it virtually instantly > using app-space crypto. Switching your whole network architecture > over just to get the same benefits you can get with SSH/SSL > seems like a lot of work to go through to avoid having to install > a single app on your client or server. > >> That would solve a lot of issues for secure networks. > > I really believe that IP crypto does not actually solve any > significant security problem in a compelling or useful manner. > >> And with the cap off addresses, it should make thing very >> interesting. > > If by "interesting" you mean "unmanageable" I've got to agree. :) > > What frustrates me about the whole IPV6 thing is that the nominal > reason for it was because of the address space issues. But there > were so many simpler options available that nobody wanted to > take because, frankly, everyone wanted to be part of the fun of > making up the next big standard. Which was *exactly* the > mindset that made the ISO protocols a slowly-developing > trainwreck. Suggestions for simpler (and equally effective) > approaches were shot down because implementing them would > have been less *fun*. My favorite was my buddy Andrew's > idea: quadruple the address space size, left-fill with zeroes, > bump the version number, and use GPS coordinates on the > left side of the address so that each individual square foot > of the planet had its own class C network. Of course you'd > need to re-do the routing infrastructure but you'll have to do > that with V6 anyhow... Or just double the address space, > bump the version, and left-fill with CIDR-style addresses > and let Moore's law take care of the backbone router > capacity issues. .. > > Anyhow, there were approaches to the address space > problem that were never investigated by the standards > priesthood because, well, they didn't give people a chance > to write gnarly code and re-design packet headers. Remember, > these standards guys are the same guys who called > SNMP "Simple..." their idea of a good time does not > produce efficient, effective real-world solutions. > >> It will change the Internet so that unauthenticated traffic will get >> a different class of service. > > No, it won't. Why? Because if that was going to happen, it would have > happened already. The technical underpinnings to do that already > exist; yet nobody is doing it. Most of the traffic on the Internet is > unauthenticated!! The trust model won't be much better than if you > just went into a load balancer and prioritized SSL, SSH, and known > IP addresses as higher priority than anything else. We can do that > today, but we don't - because it wouldn't make much difference and > it's a pain to manage. > >> NAT was a hack and although it works fine for small environments it >> falls apart for large user networks. The lack of auditing is pure >> nightmare for tracking down abuse from the inside in a large network. > > NAT is an appalling hack. NAT is an abomination. But I won't > apolgize for it. When I first started building firewalls, I NATed > networks not in order to save IP addresses, but because most > companies had existing networks with existing address ranges > and didn't want to re-address their whole infrastructure just to > get on the Internet. Does that sound familiar? My guess is that > the same logic will keep a lot of organizations from re-addressing > just to get the intangible benefits of IPV6. It wasn't until the mid > 1990's that IP addresses became a commodity and ISPs started > shoving NAT down their customers' throats. But now everyone > already has networks. Unless someone can show that IPV6 > is going to solve some problem that is SO VALUABLE it > justifies rebuilding networks. NAT + inertia is gonna kill IPV6... > >> I applaud the DOD efforts, they created the Internet and I have no >> doubt that mandating V6 will tip the scales for adoption. They did >> this in early 80 with IP, they'll do it again. > > It depends on the degree of the mandate. You may call my cynical > but I lived through "C2 by '92" and I don't believe that mandates mean > anything unless they are enforced and enforceable. > >> PS This is the first time that I find myself disagreeing with >> Marcus... > > You're in good company, if you do!!! :) Most of the smartest > people I know disagree with me about something or other!! :) > It's a badge of distinction! :) > > mjr. > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@honor.icsalabs.com > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards