[81864] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: OMB: IPv6 by June 2008

daemon@ATHENA.MIT.EDU (Joe Maimon)
Fri Jul 1 11:38:13 2005

Date: Fri, 01 Jul 2005 11:37:24 -0400
From: Joe Maimon <jmaimon@ttec.com>
To: "Christopher L. Morrow" <christopher.morrow@mci.com>
Cc: Mohacsi Janos <mohacsi@niif.hu>,
	"Fergie (Paul Ferguson)" <fergdawg@netzero.net>, nanog@merit.edu
In-Reply-To: <Pine.GSO.4.58.0507011451070.7139@parapet.argfrp.us.uu.net>
Errors-To: owner-nanog@merit.edu




Christopher L. Morrow wrote:
> 
> On Fri, 1 Jul 2005, Mohacsi Janos wrote:
> 
>>>This keeps coming up in each discussion about v6, 'what security measures'
>>>is never really defined in any real sense. As near as I can tell it's
>>>level of 'security' is no better (and probably worse at the outset, for
>>>the implementations not the protocol itself)  than v4. I could be wrong,
>>>but I'm just not seeing any 'inherent security' in v6, and selling it that
>>>way is just a bad plan.
>>>
>>
>>Just name a few:
>>- Possibility to end-to-end IPSec.
> 
> 
> exists in v4
> 
> 
>>- Not feasible scanning of subnets remotely
> 
> 
> eh... maybe, I'm not convinced this matters anyway.
> 
If your argument is that it is "to hard" to scan that many addresses, do 
you really think that in an age of 100Gbps broadband 100ghrz home PC's 
that will really be the barrier you think it is? Or better put: Over the 
  possible lifetime of v6 will that barrier remain real? And the scanner 
merely has to get lucky once. Or they can have a zombie army of scanners 
that will be statistically guaranteed to get lucky at least once.


> 
>>- Privacy enhanced addresses - not tracking usage based on addresses
> 
As if they need to keep 128 bits for the tracking to be accurate.

If everybody gets /64 then I am certain trackers will be quite happy to 
limit their tracking to that, it will serve them the same purpose.
> 
> dhcp can do this for you (v4 has mechanisms for this)
> 
> 
>>- Better ingress filtering
>>
> 
> 
> right... because gear that filters so well in v4-land will filter so much
> better in v6-land? you == crazy.
> 
> 
> All those objections aside, I'd love to see v6 more fully deployed. I'm
> not sure I see how it's going to get beyond 'research' or 'play' land,
> except for some small cases, for quite some time. It's interesting that
> the flood gates on ip space are openning at IANA though, that should
> hasten the v6 takeup/deployment :)
> 
> 
IPv6 is a classic "second system". And now we are stuck with it.

home help back first fref pref prev next nref lref last post