At 03:51 PM 7/7/2005, David Andersen wrote:
On Jul 7, 2005, at 3:41 PM, Andre Oppermann wrote:
Fergie (Paul Ferguson) wrote:
I'd have to counter with the assumption that NATs are going
away with v6 is a rather risky assumption. Or perhaps I
misunderstood your point...
There is one thing
On Thu, Jul 07, 2005 at 01:31:57PM -0700, Crist Clark wrote:
And if you still want the protection of NAT, any stateful firewall
will do it.
That seems a common viewpoint.
I believe the very existence of the Ping Of Death rebuts it.
A machine behind a NAT box simply is not visible to the
On Jul 8, 2005, at 12:49 PM, Jay R. Ashworth wrote:
On Thu, Jul 07, 2005 at 01:31:57PM -0700, Crist Clark wrote:
And if you still want the protection of NAT, any stateful firewall
will do it.
That seems a common viewpoint.
I believe the very existence of the Ping Of Death rebuts it.
A
On Jul 8, 2005, at 9:49 AM, Jay R. Ashworth wrote:
A machine behind a NAT box simply is not visible to the outside world,
except for the protocols you tunnel to it, if any. This *has* to
vastly reduce it's attack exposure.
It is true that the exposure is reduced, just as it is with a
On Fri, Jul 08, 2005 at 01:15:42PM -0400, David Andersen wrote:
On Jul 8, 2005, at 12:49 PM, Jay R. Ashworth wrote:
On Thu, Jul 07, 2005 at 01:31:57PM -0700, Crist Clark wrote:
And if you still want the protection of NAT, any stateful firewall
will do it.
That seems a common viewpoint.
On 8-jul-2005, at 19:34, Fred Baker wrote:
A NAT, in that context, is a stateful firewall that changes the
addresses, which means that the end station cannot use IPSEC to
ensure that it is still talking with the same system on the
outside. It is able to use TLS, SSH, etc as transport
Jay R. Ashworth wrote:
On Fri, Jul 08, 2005 at 01:15:42PM -0400, David Andersen wrote:
On Jul 8, 2005, at 12:49 PM, Jay R. Ashworth wrote:
On Thu, Jul 07, 2005 at 01:31:57PM -0700, Crist Clark wrote:
And if you still want the protection of NAT, any stateful firewall
will do it.
That
Fred Baker wrote:
[snip]
A NAT, in that context, is a stateful firewall that changes the
addresses, which means that the end station cannot use IPSEC to
ensure that it is still talking with the same system on the outside.
[snip]
No, you can't use AH, but yes, you can use IPsec through NAT.
On 7 Jul, 2005, at 21:10, Steven M. Bellovin wrote:
Real firewalls pass inbound traffic because a
state table entry exists. NATs do the same thing, with nasty
side-effects. There is no added security from the header-mangling.
To which Len Bosak quipped a few years ago: If you don't know
On 8 Jul, 2005, at 18:34, Fred Baker wrote:
A NAT, in that context, is a stateful firewall that changes the
addresses, which means that the end station cannot use IPSEC to
ensure that it is still talking with the same system on the outside.
Only if you define IPSEC narrowly as AH in
On 8 Jul, 2005, at 18:34, Fred Baker wrote:
A NAT, in that context, is a stateful firewall that changes the
addresses, which means that the end station cannot use IPSEC to
ensure that it is still talking with the same system on the outside.
Only if you define IPSEC narrowly as AH in
On Fri, Jul 08, 2005 at 10:24:22PM +0100, Sean Doran wrote:
On 7 Jul, 2005, at 21:10, Steven M. Bellovin wrote:
Real firewalls pass inbound traffic because a
state table entry exists. NATs do the same thing, with nasty
side-effects. There is no added security from the header-mangling.
To
Anyone here care to share operator perspectives shim6 and the like? Do
we actually have anything that anyone considers workable (not whether
somebody can make it happen, but viable in a commercial environment) for
mh?
The information transmitted is intended only for the person or entity to
On 2005-07-07, at 10:10, Kuhtz, Christian wrote:
Anyone here care to share operator perspectives shim6 and the
like? Do
we actually have anything that anyone considers workable (not whether
somebody can make it happen, but viable in a commercial
environment) for
mh?
There is no
From: Joe Abley [mailto:[EMAIL PROTECTED]
On 2005-07-07, at 10:10, Kuhtz, Christian wrote:
Anyone here care to share operator perspectives shim6 and the
like? Do
we actually have anything that anyone considers workable (not
whether
somebody can make it happen, but viable in a
On Jul 7, 2005, at 1:09 PM, Kuhtz, Christian wrote:
As an easy-to-read overview of the shim6 approach, the following
rough draft may be useful:
http://www.ietf.org/internet-drafts/draft-ietf-shim6-arch-00.txt
Thanks, I'm fully aware of where shim6 is right now. I'm asking if
anyone
I've been poking around with end-host / end-network multihoming at the
transport and application layers. See, e.g., MONET, a multi-homed Web
proxy designed to achieve high availability:
http://nms.lcs.mit.edu/ron/ronweb/
In general, this kind of end-host informed multihoming has a
Thanks, I'm fully aware of where shim6 is right now. I'm asking if
anyone feels this is headed anywhere useful or if we got anything else
we can use to facilitate mh.
a shim layer seems like a promising enhancement. ietf-shim6 is taking an
approach to a shim layer that will, I
Dave,
I'd have to counter with the assumption that NATs are going
away with v6 is a rather risky assumption. Or perhaps I
misunderstood your point...
$.02,
- ferg
-- Dave Crocker [EMAIL PROTECTED] wrote:
[re: shim6]
the effort is relying on IPv6 and on the disappearance of NATs, for v6.
Fergie (Paul Ferguson) wrote:
I'd have to counter with the assumption that NATs are going
away with v6 is a rather risky assumption. Or perhaps I
misunderstood your point...
There is one thing often overlooked with regard to NAT. That is,
it has prevented many network based worms for
I'd have to counter with the assumption that NATs are going
away with v6 is a rather risky assumption. Or perhaps I
misunderstood your point...
i think we are agreeing.
i think that any prediction that users will not use nats for v6 involves logic
that can, at best, be called idealistic.
PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Dave Crocker
Sent: Friday, July 08, 2005 4:12 AM
To: Kuhtz, Christian
Cc: Joe Abley; NANOG list
Subject: Re: mh (RE: OMB: IPv6 by June 2008)
Thanks, I'm fully aware of where shim6 is right now. I'm asking if
anyone feels this is headed
Andre Oppermann wrote:
Fergie (Paul Ferguson) wrote:
I'd have to counter with the assumption that NATs are going
away with v6 is a rather risky assumption. Or perhaps I
misunderstood your point...
There is one thing often overlooked with regard to NAT. That is,
it has prevented many
On Jul 7, 2005, at 3:41 PM, Andre Oppermann wrote:
Fergie (Paul Ferguson) wrote:
I'd have to counter with the assumption that NATs are going
away with v6 is a rather risky assumption. Or perhaps I
misunderstood your point...
There is one thing often overlooked with regard to NAT. That
PROTECTED] On Behalf Of
Andre Oppermann
Sent: Friday, July 08, 2005 4:42 AM
To: Fergie (Paul Ferguson)
Cc: [EMAIL PROTECTED]; nanog@merit.edu
Subject: Re: mh (RE: OMB: IPv6 by June 2008)
Fergie (Paul Ferguson) wrote:
I'd have to counter with the assumption that NATs are going
away
Crist Clark wrote:
And the counter point to that argument is that the sparse population
of IPv6 space will make systematic scanning by worms an ineffective
means of propagation.
Any by connecting to one of the p2p overlay networks you'll have a few
million in-use addresses momentarily.
In message [EMAIL PROTECTED], Tony Hain writes:
Mangling the header did not prevent the worms, lack of state did that. A
stateful filter that doesn't need to mangle the packet header is frequently
called a firewall (yes some firewalls still do, but that is by choice).
Absolutely correct.
Petri Helenius wrote:
Crist Clark wrote:
And the counter point to that argument is that the sparse population
of IPv6 space will make systematic scanning by worms an ineffective
means of propagation.
Any by connecting to one of the p2p overlay networks you'll have a few
million in-use
28 matches
Mail list logo
