Matthew Kaufman wrote:
Jack Bates wrote:
Matthew Kaufman wrote:
But none of this does what NAT does for a big enterprise, which is
to *hide internal topology*. Yes, addressing the privacy concerns
that come from using lower-64-bits-derived-from-MAC-address is
required, but it is also necessary (for some organizations) to make
it impossible to tell that this host is on the same subnet as that
other host, as that would expose information like which host you
might want to attack in order to get access to the financial or
medical records, as well as whether or not the executive floor is
where these interesting website hits came from.
Which is why some firewalls already support NAT for IPv6 in some form
or fashion. These same firewalls will also usually have layer 7
proxy/filtering support as well. The concerns and breakage of a
corporate network are extreme compared to non-corporate networks.
Agreed on the last point. And I'm following up mostly because I've
received quite a few private messages that resulted from folks
interpreting "hide internal topology" as "block access to internal
topology" (which can be done with filters). What I mean when I say
"hide internal topology" is that a passive observer on the outside,
looking at something like web server access logs, cannot tell how many
subnets are inside the corporation or which accesses come from which
subnets. (And preferably, cannot tell whether or not two different
accesses came from the same host or different hosts simply by
examining the IP addresses... but yes, application-level cooperation
-- in the form of a browser which keeps cookies, as an example -- can
again expose that type of information)
And to further clarify, I don't think "hide internal topology" is
actually something that needs to happen (and can show several ways in
which it can be completely violated, including using the browser and/or
browser plugins to extract the internal addresses and send them to a
server somewhere which can map it all out). But it *is* present as a
mandatory checklist item on at least one HIPPA and two SOX audit
checklists I've seen,.. and IT departments in major corporations care
much more these days about getting a clean SOX audit than they do about
providing connectivity... and given how each affects the stock price,
that's not surprising.
Matthew Kaufman
