On 2010-04-21 at 10:39 -0400, Edward Ned Harvey wrote: > This is particularly interesting, because IPv6 doesn't bring much to the > table over IPv4, except in the area of enabling p2p communications.
Publicly routed IP addresses, as many as you want. Wonderful when you hit things like Kerberos with matching forward/reverse address requirements. Also avoids the need for multiple layers of NAT, which is what various areas of Asia are looking at needing. Providing carrier-grade NAT is expensive and will have per-source-IP restrictions on parallel connections. I saw a presentation a couple of years ago on how bad Google Maps looks, in terms of tiles which don't render, as you adjust the permitted number of parallel connections. I believe this was at the 2008 Google-hosted IPv6 implementers forum. Thus the incentive for people in countries which don't have the surfeit of addresses that the USA has and the incentive for any providing service internationally. > I can think of at least one really significant way that NAT-PMP or a similar > protocol would be more desirable than IPv6. Namely, in order for the > inbound port to be accepted via NAT-PMP, the internal client has to > specifically request it, and it's only valid as long as the client maintains > the lease with the firewall. Right, you can have firewalls with IPv6 too, with the same default-deny policy. At this point, you're into the "middlebox" terminology. This is actually independent of NAT. After all, a few years back, when NAT boxes started being produced, it was common for IPv4 stacks to support source routing, which neatly bypasses NAT's supposed security. The inbound security comes from the co-hosted firewall and turning off source routing support, not from NAT itself. NAT does help inhibit discovery, but that just deters casual attacks. It would be nice to see a simple protocol, along the lines of NAT-PMP, which lets client devices punch small holes in firewalls. Of course, malware will just use the same client APIs, so at some point you should ask "why do we bother?" but in terms of protecting misc devices in shared subnets, it may help a bit. > Unfortunately, it appears not many firewalls today support either NAT-PMP or > IGD. Consumer-grade devices commonly support IGD, a few also support NAT-PMP. Corporates tend to not like the idea of random desktops punching holes in the firewalls. -Phil _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
