Michel, Your view of planet could be the IPv4 NAT view and with true e2e with IPsec, TLS, and many others those security interrupts and gateways that see my conversations on the net will go away. So I don't like the way the planet is and we should change it.
/jim > -----Original Message----- > From: Michel Py [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 10:32 PM > To: [EMAIL PROTECTED] > Cc: Bob Hinden; Steven M. Bellovin; [EMAIL PROTECTED] > Subject: RE: Fwd: IPv6 Scoped Addresses and Routing Protocols > > > >> Michel Py wrote: > >> On the other hand, considering that a typical IPv6 will > _not_ feature > >> IPv6 NAT, an IPv6 host that has _only_ a site-local address would > have > >> an extra layer of protection against external attacks as > it would not > be > >> reachable at all from the outside. > > > Bill Sommerfeld wrote: > > I see this as a distinction without a difference -- if the site has > > some systems running a global p2p network's software with external > > connectivity, and that p2p network is cracked, the site will be > > vulnerable to attacks relayed through the p2p network. > > if one system within the site has external connectivity and is part > > of the compromised p2p network, any system at the site will now be > > open to attacks from the compromised system. > > I don't know on which planet you are living, but on earth a > system that > has no direct access to the outside is more secure than a system that > does; this is called a fact, not a distinction. Security is the sum of > different things, including passwords, firewalls _and_ > preventing direct > access from the Internet. > > > > If there is widespread deployment of systems with site-local only > > addresses, this will in turn drive the creation of ipv6 NAT > > specifically to give them external connectivity.. > > That looks like a solution without a problem. To give these hosts > connectivity you just have both the site-local and the global address. > Since NAT would not bring anything to the table why implement > it in the > first place? > > Michel. > > > -------------------------------------------------------------------- > IETF IPng Working Group Mailing List > IPng Home Page: http://playground.sun.com/ipng > FTP archive: ftp://playground.sun.com/pub/ipng > Direct all administrative requests to [EMAIL PROTECTED] > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
