On 1/8/11 11:16 AM, Michael H. Warfield wrote: > On Sat, 2011-01-08 at 10:57 -0700, James McKenzie wrote: >> On 1/3/11 6:44 PM, Robert Nichols wrote: >>> On 01/03/2011 06:31 PM, Michael H. Warfield wrote: >>>> There is a wide spread myth that NAT and the fact that you are on >>>> different addresses some how bestows upon you some measure of security. >>>> As a leading security researcher, let me impress upon you that nothing >>>> could be further from the truth. You can security from the inherent >>>> statefulness of your common consumer grade NAT but there are other forms >>>> of NAT which do not convey this. Merely the fact that your addresses >>>> are mapped do not provide you with any protection. It's the state >>>> engine and the dynamic mapping that do this. But, SURPRISE, that >>>> exactly what's in a stateful firewall. There is NO intrinsic advantage >>>> of NAT over a decent stateful firewall. None. >>>> >>>> IPv6 also has a number of security advantages over IPv4, not the least >>>> of which are "no broadcast address" and "virtually impossible to >>>> comprehensively brute force scan". That doesn't mean it can't be >>>> scanned (the scans have to be more targeted and intelligent), >>> ... >>> >>> The problem that I see is that any system to which I have ever made a >>> connection now has a nice, routable IPv6 address back to the machine >>> that made the connection and can start probing that machine to see if >>> any vulnerable services might have been inadvertently left listening >>> on that interface. No problem if it's a well secured file server, >>> but it could also be an internet-aware HDTV or video recorder where >>> I have no control over the internal OS. Sounds like all traffic will >>> now have to have to be routed through an external IPv6 SPI firewall >>> appliance. You no doubt have one of those, but I certainly don't, >>> and I suspect one would cost a bit more than my $35 NAT router, plus >>> being a bit beyond the administrative abilities of the average home >>> user. >> You really have to look at the IP v6 spec. First, YOU HAVE to use >> ipsec. > Oh lord WHY can we NOT make this myth go away?!?! The IPv6 spec does > NOT mandate the USE of IPsec. It only mandates the SUPPORT of IPsec. > To be IPv6 compliant you must support it. You do NOT have to use it. > The IETF has tried to be very clear on this and I've sat in on some of > the working groups discussing it. I've been on the global IPv6 network > over over a decade now and not used IPsec on IPv6. I've used IPsec on > IPv4 (and I'm a code contributer to the Openswan project) to help > facilitate IPv6 tunnels over firewalls and broken (redundant) NAT > gateways. I can use IPsec on IPv6 and, if I use IKE2, I can even tunnel > IPv6 directly on IPv4 in ESP (with version 1 IKE you have to use SIT on > top of ESP in order to tunnel IPv6 on IPv4 through IPsec). But, I don't > need to so I don't. You don't have to use IPsec. > You had better tell that to (ISC)2 as it is a question on their CISSP exam. James McKenzie -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
