Caitlin Bestler wrote: >>>IPv6 needs to be justified on the number of nodes that truly need a >>>globally accessible public address, not by insisting on counting devices >>>that should remain anonymous or under limited (and controlled) visibility. >>> >>you appear to be confusing visibility with accessibility. > > No, that is exactly what I am not confusing. > > If a node only requires accessibility by a few specialized nodes (such > as a water meter) then making it *visible* to more is just creating > a security hole that has to be plugged.
How do you control visibility? Authentication. How do you control accessibility? Authentication. What's the difference? Silently ignoring unauthenticated peers vs. replying "go away". Limiting visibility does not make a service more secure. > My point remains, a globally meaningful address is something that > should only be applied when it is useful for that endpoint to > be globally addressable. I have a hard time coming up with *any* service that should be restricted to local-only at all times. If you believe that authentication works, you may as well make everything world-visible. I do agree that firewalls can reduce the risk of exposing buggy service implementations to the world, e.g. risking buffer overflow attacks, etc. This has nothing to do with NATs, however, as others have already pointed out. Lars -- Lars Eggert <[EMAIL PROTECTED]> Information Sciences Institute http://www.isi.edu/larse/ University of Southern California
