[13353] in North American Network Operators' Group
Re: moving to IPv6
daemon@ATHENA.MIT.EDU (John Curran)
Mon Nov 3 14:18:17 1997
Date: Mon, 03 Nov 1997 13:49:40 -0500
To: Thomas Narten <narten@raleigh.ibm.com>
From: John Curran <jcurran@bbnplanet.com>
Cc: "Sean M. Doran" <smd@clock.org>, nanog@merit.edu
In-Reply-To: <9711031823.AA18204@cichlid.raleigh.ibm.com>
At 01:23 PM 11/3/97 -0500, Thomas Narten wrote:
>Fundamentally, security likes the idea that it trusts no one other
>than the originator of data and the ultimate destination of data. That
>means no one in between should be able to examine the data, much less
>modify any of it. That includes NATs rewritting addresses. IPSec (and
>DNSSEC) do not allow addresses to be rewritten in packets. Full Stop.
Not to be contentious, but there are valid reasons why
"addresses" should be very visible to the network and
potentially subject to modification. Just offhand,
the ability to prevent malacious attacks and hunt down
fraud are valid reasons on their own for visibility
for network operations.
I agree 100% when it comes to payload, but network
addresses serve the network as much as the packet.
To the extent that we start deploying networks with
more functionality (such as mail relaying and web
caching), then the same logic applies to DNS names.
/John
