-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4/23/2010 06:17, Clue Store wrote:
But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from.
Matthew Kaufman
Yeh that information leak is one reason I can think of for supporting NAT for IPv6. One of the inherent security issues with unique addresses I suppose.
<flame-suit-on>
What makes you think that not using NAT exposes internal topology?? I have many cases where either filtering at layer-2 or NAT'ing a /48 for itself (or proxy-arp for those that do not have kits that can NAT IP blocks as itself) does NOT expose internal topology. Get your filtering correctly setup, and there is no use for NAT/PAT in v6.
NAT was designed with one puropose in mind ..... extending the life of v4... period! The so called security that most think NAT gives them is a side effect. NAT/PAT also breaks several protocols (PASV FTP, H.323, etc) and I for one will be happy to see it go. I think it's a mistake to include NAT in v6 because there are other methodologies of accomplishing all of the side effects that everyone is use to seeing NAT provide without having to actually translate IP's or ports.
I for one (as well as alot of other folks I know) am not/will not be using any kind of NAT moving forward.
</flame-suit-on>
I'm not really advocating NAT for v6. I'm just saying it's one valid security issue with using any sort of globally unique IP address (v4 or v6), in that analyzing a bunch of traffic from a particular netblock would allow one to build a topology map. It's easier with IPv6 since you can presume most if not all addresses are on /64s out of a /48 (so look to the fourth quad for the "subnet ID"). Obviously if someone is super concerned with revealing this sort of info there are other things besides NAT they can do, such as using a proxy server(s) for various internet applications, transparent proxies, etc. But it is a valid security concern for some. Also, is that your real name? ;-) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvRozwACgkQ2fXFxl4S7sSACQCfeRfk5VmKjkW2SYkn/gZl53Ng Q0cAoKsQTGdTTBaEg1paE44yTNVy2OSQ =WAPA -----END PGP SIGNATURE-----