On Thu, Aug 09, 2001 at 02:10:32PM +0200, Francis Dupont wrote:
> In your previous mail you wrote:
>
> But you make a good point about security. If people get the idea
> (correctly or not) that they're sacrificing security by supporting v6,
> they won't bother deploying it. We need to have v6 border routers
> that deliver the same degree of security as NATs do, without actually
> translating addresses.
>
> => this is easy for TCP (or any connected transport, cf the tcp
> established of Cisco routers) but I can't see a way to do this for
> UDP without keeping state... Of course this argument doesn't apply
> if a real firewall is used (stateless firewalls are out of the market
> or should be ASAP).
Site local scope and multi-addressing of nodes makes this fairly
trivial. If services that should only be available at a site local
level are only bound to site-local scope and border routers properly
enforce that, then there's no problem.
You don't need to filter incoming UDP if nobody's running a UDP
listener on a global address. This makes IPv6 every bit as 'secure'
as NAPT, and without the kind of ugly application proxies needed
for protocols like FTP, H.323, IRC DCC, and others.
--
David Terrell | "When we said that you needed to cut the
[EMAIL PROTECTED] | wires for ultimate security, we didn't
Nebcorp Prime Minister | mean that you should go wireless instead."
http://wwn.nebcorp.com/ | - Casper Dik
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
