On Wed, 2003-03-12 at 17:12, BEGIN, Thomas wrote: > Hello, > Security... that's a core problem for a lot of engineers ! > > With IPv4, a lot of enterprises networks were set up with private addresses (eg 10.x.x.x ). That implies that computers inside the network are unreachable from outside (eg Internet). > > Since IPv6 offers a large scale of addresses, I've heard that companies could address their machines with global unicast addresses (public addresses) and also benefit fully from IPsec and peer to peer applications. > That's nice and it is said that it should improve security (IPsec totally used from sender to receiver). > But in the other hand, isn't it dangerous to address machines with global unicast address and thus make them reachable directly from anywhere and by anybody... Besides NAT is often acknowledged as a good shield to secure networks. > > Then is it really possible to protect IPv6 networks (with global unicast addresses) as safe as Ipv4 networks using NAT ? > > I realize this is a big topic and may be there is no easy response but getting a high performance security is a fundamental factor for the deployement of IPv6. > > But if you have any idea (know enterprises that use public addresses for their network) please let me know ... > > -Thomas > > PS: using site local addresses inside IPv6 networks doesn't solve the problem ... ;-)) Think of ipv6 as you think of ipv4. There are also companies (or official institutions) that are using public ip's for all workstations on ipv4. Here you would have the same problem. Actually, it's only a question about what traffic you allow in your forwarding rules in your firewall. Of course, you've got to be a bit more carefully in this case, but the difference is not really that big. -- Regards, Martin List-Petersen martin at list-petersen dot dk -- You are scrupulously honest, frank, and straightforward. Therefore you have few friends.
Attachment:
signature.asc
Description: This is a digitally signed message part