[ale] IPv6 vs IPv4 (was: uptime)

Michael B. Trausch mike at trausch.us
Wed Mar 17 22:55:41 EDT 2010 

On 03/17/2010 10:03 PM, Jim Popovitch wrote:
> Well, that brings up the usual IPv4 vs IPv6 interest:-). So a measure
> of security comes from IPv4 but not IPv6...yet another reason to delay
> IPv6:-)

Oh, we of short memories.

Prior to the introduction of NAT, all there was for network protection 
were good old-fashioned firewalls.  And thankfully, that is the world 
that we will be returning to.  The thing that we broke with NAT---true 
end-to-end communication amongst nodes on the Internet---is something 
that we will get back.

I expect that consumer routers that support IPv6 will have a policy 
configured by default that is very much like what a firewall is set-up 
for for IP masquerading.  For example, outbound packets being permitted 
always and inbound packets being permitted only if they are part of an 
established connection or are somehow related to other packets that have 
gone out.  This is enough to keep most average people running Windows 
boxes safe, as it (nearly) provides the same behavior that we get with 
IP masquerading, though we don't have to do any sort of IP or port 
translation or mess with protocols like SIP which encode their endpoint 
addresses directly in the application-layer protocol stream.

Woe be unto businesses.  They'll actually have to employ or contract 
with people who know networking at a professional level again.  I'm not 
going to cry a river about that.  Any business that is operating 
computers and that has control over the network ought to have a sane 
firewall policy in place in the first place.  NAT was never introduced 
nor intended as a security measure; it was put in place to stop the 
depletion of the IPv4 addresses space by permitting people to have 
private networking space that wasn't routed on the Internet.  We have 
something similar in IPv6, too, because there are certainly valid 
reasons that one would want routed internal-only address space, and 
there can be very valid security reasons to use them, but that isn't 
their primary usage.  IMHO, we should have switched to IPv6 sooner, 
instead of introducing NAT, but that's just my 2¢.

	--- Mike

-- 
Michael B. Trausch                                    ☎ (404) 492-6475

More information about the Ale mailing list