On Mon, Mar 24, 2014 at 1:38 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On Sunday, March 23, 2014 09:35:31 PM Denis Fondras wrote:
When speaking of IPv6 deployment, I routinely hear about host security. I feel like it should be stated that this is *in no way* an IPv6 issue. May the device be ULA, LLA, GUA or RFC1918-addressed, the device is at risk anyway.
If this is the only argument for delaying IPv6 deployment, this sounds more like FUD to me ;-)
I guess it's no surprise that host security is not an IPv4 or IPv6 issue.
It's just that with IPv4, the majority of unclean and unupdated hosts have been living behind NAT44.
In an ideal IPv6 world, all hosts have GUA's, and in this case, host security becomes a bigger problem, because now the host is directly accessible without a NAT66 in between (we hope).
NAT traversal is and has long been fairly trivial. NAT and RFC1918 provides no meaningful host protection whatsoever and never has. The only thing that limits direct access to internal networks is a stateful firewall. (Well, IPS can also drop packets.) That's true for IPv4 and for IPv6. So an enterprise relying n NAT44 and RFC1918 for internal host protection instead of a stateful firewall already has no meaningful security in place. There's no way for IPv6 to make things any worse other than puncturing the delusion under which they are currently operating. Scott