On Jul 22, 2010, at 12:49 AM, William Herrin wrote: > On Wed, Jul 21, 2010 at 5:37 PM, Owen DeLong <[email protected]> wrote: >>>> http://tools.ietf.org/html/draft-arkko-ipv6-transition-guidelines >>> There is a third major challenge to dual-stack that isn't addressed in >>> the document: differing network security models that must deliver the >>> same result for the same collection of hosts regardless of whether >>> Ipv4 or v6 is selected. I can throw a COTS d-link box with >>> address-overloaded NAT on a connection and have reasonably effective >>> network security and anonymity in IPv4. Achieving comparable results >>> in the IPv6 portion of the dual stack on each of those hosts is >>> complicated at best. >>> >> Actually, it isn't particularly hard at all... Turn on privacy addressing >> on each of the hosts (if it isn't on by default) and then put a linux >> firewall in front of them with a relatively simple ip6tables configuration >> for outbound only. > >> From the lack of dispute, can I infer agreement with the remainder of > my comments wrt mitigations for the "one of my addresses doesn't work" > problem and the impracticality of the document's section 4.3 and 4.4 > for wide scale Ipv6 deployment? > No, merely resignation to the fact that you don't get it.
Owen
