[125826] in North American Network Operators' Group
Re: Rate of growth on IPv6 not fast enough?
daemon@ATHENA.MIT.EDU (Matthew Kaufman)
Fri Apr 23 13:34:56 2010
Date: Fri, 23 Apr 2010 10:34:18 -0700
From: Matthew Kaufman <matthew@matthew.at>
To: matthew@matthew.at
In-Reply-To: <4BD1D5DA.80202@matthew.at>
Cc: nanog@nanog.org
Reply-To: matthew@matthew.at
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Matthew Kaufman wrote:
> Jack Bates wrote:
>> Matthew Kaufman wrote:
>>> But none of this does what NAT does for a big enterprise, which is
>>> to *hide internal topology*. Yes, addressing the privacy concerns
>>> that come from using lower-64-bits-derived-from-MAC-address is
>>> required, but it is also necessary (for some organizations) to make
>>> it impossible to tell that this host is on the same subnet as that
>>> other host, as that would expose information like which host you
>>> might want to attack in order to get access to the financial or
>>> medical records, as well as whether or not the executive floor is
>>> where these interesting website hits came from.
>>>
>>
>> Which is why some firewalls already support NAT for IPv6 in some form
>> or fashion. These same firewalls will also usually have layer 7
>> proxy/filtering support as well. The concerns and breakage of a
>> corporate network are extreme compared to non-corporate networks.
> Agreed on the last point. And I'm following up mostly because I've
> received quite a few private messages that resulted from folks
> interpreting "hide internal topology" as "block access to internal
> topology" (which can be done with filters). What I mean when I say
> "hide internal topology" is that a passive observer on the outside,
> looking at something like web server access logs, cannot tell how many
> subnets are inside the corporation or which accesses come from which
> subnets. (And preferably, cannot tell whether or not two different
> accesses came from the same host or different hosts simply by
> examining the IP addresses... but yes, application-level cooperation
> -- in the form of a browser which keeps cookies, as an example -- can
> again expose that type of information)
>
And to further clarify, I don't think "hide internal topology" is
actually something that needs to happen (and can show several ways in
which it can be completely violated, including using the browser and/or
browser plugins to extract the internal addresses and send them to a
server somewhere which can map it all out). But it *is* present as a
mandatory checklist item on at least one HIPPA and two SOX audit
checklists I've seen,.. and IT departments in major corporations care
much more these days about getting a clean SOX audit than they do about
providing connectivity... and given how each affects the stock price,
that's not surprising.
Matthew Kaufman
