Let me address this from my employment perspective, rather than merely as a Debian package maintainer, as an IPv6 network administrator. The fact that companies use NAT with RFC1918 addresses internally is by no means a full-proof method of security. It's more security through obscurity and generally leads to lazy system security of the machine within the network on those RFC1918 addresses. So the fear with using global unicast IPv6 addresses scares these admins as it means those machines might be reachable. The better solution is to invest in the firewall that can still filter unwanted traffic AS WELL AS making sure that proper security maintainence is taken for the machines within the network. Here locally we don't use RFC1918 space as we have a IPv4 /19 and a IPv6 /40 available to use and we just maintain proper security policies on all machines as well as a well defined security policy for ingress and egress filtering... Of course the highest security if you're that paranoid is simply not to put a computer on the internet at all. Any machine put on the internet is a target for attempts to be made or operator errors such as opening an attachment that turns out to be a virus or trojan... I'm curious as to why you feel site local IPv6 addressing would not be a solution. There have been quite a number of debates on the use of site local but those are typically over publically visible DNS entries and such... Like RFC1918 space site local IPv6 addresses are not meant for global IPv6 routablity. They are intend'd for hosts which want IPv6 support internally with no external IPv6 access. There is nothing though to say you could not setup a proxy that all external IPv6 access would be forced to go through. Jeremy T. Bouse On Wed, Mar 12, 2003 at 05:12:07PM +0100, BEGIN, Thomas wrote: > Hello, > Security... that's a core problem for a lot of engineers ! > > With IPv4, a lot of enterprises networks were set up with private addresses (eg 10.x.x.x ). That implies that computers inside the network are unreachable from outside (eg Internet). > > Since IPv6 offers a large scale of addresses, I've heard that > companies could address their machines with global unicast addresses > (public addresses) and also benefit fully from IPsec and peer to peer > applications. > That's nice and it is said that it should improve security (IPsec > totally used from sender to receiver). > But in the other hand, isn't it dangerous to address machines with > global unicast address and thus make them reachable directly from > anywhere and by anybody... Besides NAT is often acknowledged as a good > shield to secure networks. > > Then is it really possible to protect IPv6 networks (with global > unicast addresses) as safe as Ipv4 networks using NAT ? > > I realize this is a big topic and may be there is no easy response > but getting a high performance security is a fundamental factor for > the deployement of IPv6. > > But if you have any idea (know enterprises that use public addresses > for their network) please let me know ... > > -Thomas > > PS: using site local addresses inside IPv6 networks doesn't solve the > problem ... ;-)) >
Attachment:
pgpoCWyki3oOr.pgp
Description: PGP signature