My expectation is the same as yours, but I strongly believe that anyone doing a new design that deliberately ignores IPv6 is being very shortsighted. "Quite some time" is now only years, not decades.
It might be useful to consider another perspective on IPv6:
Begin forwarded message:
From: "Marcus J. Ranum" <[EMAIL PROTECTED]>
Date: Wed Jul 30, 2003 10:26:00 AM America/New_York
To: Jonn Martell <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: [fw-wiz] Off topic: Any one know of a good IPV6 reference book?
I'm going to try to wrench this topic back to security, after having taken a heavy-handed swat at the standards geeks. ;)
Jonn Martell wrote:Doesn't V6 allow for end-to-end encryption and authentication?
Well, if that's what you want, why not use the (various) IPV4 ESP and AH implementations? Or SSH/SSL?
From a meta-level, before you throw encryption into a security solution, ask yourself "what am I trying to accomplish?" I happen to believe that adding crypto into your network layer is pointless. Basically, all it gives you is node-to-node trust. Node-to-node trust is not exactly great, viz: .rhosts, NFS - they don't work very well in environments where an untrusted user can gain even a small toe-hold. People are just now *starting* to realize that VPNs have a transitive trust problem. Node-to-node does not address transitive trust effectively. IMO. If crypto is the answer, what is the question?
But if crypto is what you need, you can field it virtually instantly using app-space crypto. Switching your whole network architecture over just to get the same benefits you can get with SSH/SSL seems like a lot of work to go through to avoid having to install a single app on your client or server.
That would solve a lot of issues for secure networks.
I really believe that IP crypto does not actually solve any significant security problem in a compelling or useful manner.
And with the cap off addresses, it should make thing very interesting.
If by "interesting" you mean "unmanageable" I've got to agree. :)
What frustrates me about the whole IPV6 thing is that the nominal reason for it was because of the address space issues. But there were so many simpler options available that nobody wanted to take because, frankly, everyone wanted to be part of the fun of making up the next big standard. Which was *exactly* the mindset that made the ISO protocols a slowly-developing trainwreck. Suggestions for simpler (and equally effective) approaches were shot down because implementing them would have been less *fun*. My favorite was my buddy Andrew's idea: quadruple the address space size, left-fill with zeroes, bump the version number, and use GPS coordinates on the left side of the address so that each individual square foot of the planet had its own class C network. Of course you'd need to re-do the routing infrastructure but you'll have to do that with V6 anyhow... Or just double the address space, bump the version, and left-fill with CIDR-style addresses and let Moore's law take care of the backbone router capacity issues. ..
Anyhow, there were approaches to the address space problem that were never investigated by the standards priesthood because, well, they didn't give people a chance to write gnarly code and re-design packet headers. Remember, these standards guys are the same guys who called SNMP "Simple..." their idea of a good time does not produce efficient, effective real-world solutions.
It will change the Internet so that unauthenticated traffic will get a different class of service.
No, it won't. Why? Because if that was going to happen, it would have happened already. The technical underpinnings to do that already exist; yet nobody is doing it. Most of the traffic on the Internet is unauthenticated!! The trust model won't be much better than if you just went into a load balancer and prioritized SSL, SSH, and known IP addresses as higher priority than anything else. We can do that today, but we don't - because it wouldn't make much difference and it's a pain to manage.
NAT was a hack and although it works fine for small environments it falls apart for large user networks. The lack of auditing is pure nightmare for tracking down abuse from the inside in a large network.
NAT is an appalling hack. NAT is an abomination. But I won't apolgize for it. When I first started building firewalls, I NATed networks not in order to save IP addresses, but because most companies had existing networks with existing address ranges and didn't want to re-address their whole infrastructure just to get on the Internet. Does that sound familiar? My guess is that the same logic will keep a lot of organizations from re-addressing just to get the intangible benefits of IPV6. It wasn't until the mid 1990's that IP addresses became a commodity and ISPs started shoving NAT down their customers' throats. But now everyone already has networks. Unless someone can show that IPV6 is going to solve some problem that is SO VALUABLE it justifies rebuilding networks. NAT + inertia is gonna kill IPV6...
I applaud the DOD efforts, they created the Internet and I have no doubt that mandating V6 will tip the scales for adoption. They did this in early 80 with IP, they'll do it again.
It depends on the degree of the mandate. You may call my cynical but I lived through "C2 by '92" and I don't believe that mandates mean anything unless they are enforced and enforceable.
PS This is the first time that I find myself disagreeing with Marcus...
You're in good company, if you do!!! :) Most of the smartest people I know disagree with me about something or other!! :) It's a badge of distinction! :)
mjr.
_______________________________________________ firewall-wizards mailing list [EMAIL PROTECTED] http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
