Mark Smith wrote: > True, but in my experience in a large, multi-departmental > govenment network, is it fairly common that end user security > / access requirements don't fall neatly along route / prefix > boundaries. Typically this is because security has crept into > the network, triggered by attachement to the Internet.
This is inconsistent with your statement later about prefixes mapping to broadcast domains. > > In government networks, route filtering is a useful tool to > have, but mostly it is a "nice to use", because it is too > blunt to facilitate the security / access requirements of the > end users. So is this a statement that the approach is not useful in government networks, or a statement that the tool is inadequate because it does not solve the government network problems? > > Typically, the order of use of available network / transport > layer security tools to meet common end-user requirements is : > > (1) "application" level - ie. filter on TCP / UDP ports, > possibly in combination with IPv4 source and / or destination address. > (2) network layer - filter IPv4 source and / or destination > IPv4 adress. > (3) route filtering > > Service providers, OTOH, protect their end-users by > protecting the network itself. Route filtering is one of the > primary tools for doing that, so (3) on my enterprise list is > one of the (1)s on the service provider list. SP's aren't protecting their end-users by route filtering, they are protecting their resources from other SP's. > > Since IPv6 prefixes are going to be mapped along the same > boundaries as IPv4 prefixes ie., layer 2 broadcast domains, > IPv6 route filtering in an government network will be just as > dull a tool as it is in IPv4. This shows IPv4 thinking, where the network has a single prefix / L2. While I agree the initial deployments will likely mirror the IPv4 network, there is no reason to preclude having additional prefixes / L2, where the reachability characteristics are different. > > The security paranoid will both remove routes, and install > > filters, on the belief that failures will not occur in both at the > > same time. Despite the noise about not providing security, > these are > > two mechanisms used in basic layered security models. > > > > The security paranoid, at least in an government environment, > would *like* to perform route filtering as part of a defense > in depth strategy in addition to filtering, but end-user > access requirements usually put an end to that idea. That is only because there is a single prefix shared between those needing accessibility and those wanting to be hidden. There is no requirement that a single prefix be shared this way in an IPv6 network. Tony -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
