Mark Smith wrote: > ... > > So is this a statement that the approach is not useful in > government > > networks, or a statement that the tool is inadequate > because it does > > not solve the government network problems? > > > > I think it is inadequate, because it doesn't provide the > resolution necessary to implement a number of customers' > security access requirements. My examples above hopefully show that.
The examples show there environments more complex than a simple tool can deal with. That does not make the tool inadequate for the simple environments. > ... > > This shows IPv4 thinking, where the network has a single > prefix / L2. > > While I agree the initial deployments will likely mirror the IPv4 > > network, there is no reason to preclude having additional > prefixes / > > L2, where the reachability characteristics are different. > > > > I agree. > > But unless we are going to be able to allocate IPv6 addresses > to applications*, I don't think route filtering is ever going > to be as effective as packet filtering on individual network > layer addresses and / or TCP / UDP ports. And that is a very > common security request. Yes that is a common security request, but it falls flat on its face when the TCP/UDP ports are masked by IPsec, or simply spoofed by the application (ie: both ends agree that 80 is a remote file mount). To your earlier comment about filtering is free, it really isn't. Yes it is included in the box, but doing the work requires time (increased app latency), or dedicated hardware (increased device cost), so it isn't free. * To some degree this is the deployment model. Not to explicitly allocate an address to an individual app, but to allocate addresses with the characteristics of 'local use' and 'global use', then have the apps bind to the appropriate one. If a local policy is more complex than the simple two layers, it will need additional (out of scope for this approach) mechanisms to sort out which app should be bound to which address. Tony ... Please send a pointer to the Gleitz/Bellovin paper > > Regards, > Mark. > > * Peter M. Gleitz and Steve Bellovin have written a paper > called "Transient Addressing for Related Processes: Improved > Firewalling by Using IPV6 and Multiple Addresses per Host", > which seems to suggest doing this. I've only had a chance to > briefly read the abstract, so I don't know how feasible or > practical it would be to deploy this idea. > -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
