[125831] in North American Network Operators' Group
Re: Rate of growth on IPv6 not fast enough?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Apr 23 14:19:55 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4BD1D5DA.80202@matthew.at>
Date: Fri, 23 Apr 2010 11:10:08 -0700
To: matthew@matthew.at
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 23, 2010, at 10:16 AM, Matthew Kaufman wrote:
> Jack Bates wrote:
>> Matthew Kaufman wrote:
>>> But none of this does what NAT does for a big enterprise, which is =
to *hide internal topology*. Yes, addressing the privacy concerns that =
come from using lower-64-bits-derived-from-MAC-address is required, but =
it is also necessary (for some organizations) to make it impossible to =
tell that this host is on the same subnet as that other host, as that =
would expose information like which host you might want to attack in =
order to get access to the financial or medical records, as well as =
whether or not the executive floor is where these interesting website =
hits came from.
>>>=20
>>=20
>> Which is why some firewalls already support NAT for IPv6 in some form =
or fashion. These same firewalls will also usually have layer 7 =
proxy/filtering support as well. The concerns and breakage of a =
corporate network are extreme compared to non-corporate networks.
> Agreed on the last point. And I'm following up mostly because I've =
received quite a few private messages that resulted from folks =
interpreting "hide internal topology" as "block access to internal =
topology" (which can be done with filters). What I mean when I say "hide =
internal topology" is that a passive observer on the outside, looking at =
something like web server access logs, cannot tell how many subnets are =
inside the corporation or which accesses come from which subnets. (And =
preferably, cannot tell whether or not two different accesses came from =
the same host or different hosts simply by examining the IP addresses... =
but yes, application-level cooperation -- in the form of a browser which =
keeps cookies, as an example -- can again expose that type of =
information)
>=20
So can TCP fingerprinting and several other techniques.
Finally, the belief that hiding the number of subnets or which hosts =
share subnets is a meaningful enhancement to security is dubious at =
best.
Owen
