> The outbound-only firewall is a false idea of security as well since
> 2nd generation peer-to-peer software such as Morpheus can easily
> bypass firewalls and allow ingress connections to RFC1918 hosts.
>
> On the other hand, considering that a typical IPv6 will _not_ feature
> IPv6 NAT, an IPv6 host that has _only_ a site-local address would have
> an extra layer of protection against external attacks as it would not be
> reachable at all from the outside.
I see this as a distinction without a difference -- if the site has
some systems running a global p2p network's software with external
connectivity, and that p2p network is cracked, the site will be
vulnerable to attacks relayed through the p2p network.
if one system within the site has external connectivity and is part of
the compromised p2p network, any system at the site will now be open
to attacks from the compromised system.
If there is widespread deployment of systems with site-local only
addresses, this will in turn drive the creation of ipv6 NAT
specifically to give them external connectivity..
- Bill
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
