[ale] IPv6 vs IPv4 (was: uptime)

Jeff Hubbs jhubbslist at att.net
Wed Mar 17 22:59:14 EDT 2010 

What does a greybeard need to do today if they'd like to start putting 
IPv4 behind them?


On 3/17/10 10:55 PM, Michael B. Trausch wrote:
> On 03/17/2010 10:03 PM, Jim Popovitch wrote:
>    
>> Well, that brings up the usual IPv4 vs IPv6 interest:-). So a measure
>> of security comes from IPv4 but not IPv6...yet another reason to delay
>> IPv6:-)
>>      
> Oh, we of short memories.
>
> Prior to the introduction of NAT, all there was for network protection
> were good old-fashioned firewalls.  And thankfully, that is the world
> that we will be returning to.  The thing that we broke with NAT---true
> end-to-end communication amongst nodes on the Internet---is something
> that we will get back.
>
> I expect that consumer routers that support IPv6 will have a policy
> configured by default that is very much like what a firewall is set-up
> for for IP masquerading.  For example, outbound packets being permitted
> always and inbound packets being permitted only if they are part of an
> established connection or are somehow related to other packets that have
> gone out.  This is enough to keep most average people running Windows
> boxes safe, as it (nearly) provides the same behavior that we get with
> IP masquerading, though we don't have to do any sort of IP or port
> translation or mess with protocols like SIP which encode their endpoint
> addresses directly in the application-layer protocol stream.
>
> Woe be unto businesses.  They'll actually have to employ or contract
> with people who know networking at a professional level again.  I'm not
> going to cry a river about that.  Any business that is operating
> computers and that has control over the network ought to have a sane
> firewall policy in place in the first place.  NAT was never introduced
> nor intended as a security measure; it was put in place to stop the
> depletion of the IPv4 addresses space by permitting people to have
> private networking space that wasn't routed on the Internet.  We have
> something similar in IPv6, too, because there are certainly valid
> reasons that one would want routed internal-only address space, and
> there can be very valid security reasons to use them, but that isn't
> their primary usage.  IMHO, we should have switched to IPv6 sooner,
> instead of introducing NAT, but that's just my 2¢.
>
> 	--- Mike
>
>

More information about the Ale mailing list