[125830] in North American Network Operators' Group
Re: Rate of growth on IPv6 not fast enough?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Apr 23 14:17:39 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4BD1DA1A.8080203@matthew.at>
Date: Fri, 23 Apr 2010 11:14:16 -0700
To: matthew@matthew.at
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 23, 2010, at 10:34 AM, Matthew Kaufman wrote:
> Matthew Kaufman wrote:
>> Jack Bates wrote:
>>> Matthew Kaufman wrote:
>>>> But none of this does what NAT does for a big enterprise, which is =
to *hide internal topology*. Yes, addressing the privacy concerns that =
come from using lower-64-bits-derived-from-MAC-address is required, but =
it is also necessary (for some organizations) to make it impossible to =
tell that this host is on the same subnet as that other host, as that =
would expose information like which host you might want to attack in =
order to get access to the financial or medical records, as well as =
whether or not the executive floor is where these interesting website =
hits came from.
>>>>=20
>>>=20
>>> Which is why some firewalls already support NAT for IPv6 in some =
form or fashion. These same firewalls will also usually have layer 7 =
proxy/filtering support as well. The concerns and breakage of a =
corporate network are extreme compared to non-corporate networks.
>> Agreed on the last point. And I'm following up mostly because I've =
received quite a few private messages that resulted from folks =
interpreting "hide internal topology" as "block access to internal =
topology" (which can be done with filters). What I mean when I say "hide =
internal topology" is that a passive observer on the outside, looking at =
something like web server access logs, cannot tell how many subnets are =
inside the corporation or which accesses come from which subnets. (And =
preferably, cannot tell whether or not two different accesses came from =
the same host or different hosts simply by examining the IP addresses... =
but yes, application-level cooperation -- in the form of a browser which =
keeps cookies, as an example -- can again expose that type of =
information)
>>=20
>=20
> And to further clarify, I don't think "hide internal topology" is =
actually something that needs to happen (and can show several ways in =
which it can be completely violated, including using the browser and/or =
browser plugins to extract the internal addresses and send them to a =
server somewhere which can map it all out). But it *is* present as a =
mandatory checklist item on at least one HIPPA and two SOX audit =
checklists I've seen,.. and IT departments in major corporations care =
much more these days about getting a clean SOX audit than they do about =
providing connectivity... and given how each affects the stock price, =
that's not surprising.
>=20
> Matthew Kaufman
Yes, much education is required to the audit community.
Owen
