Search This Blog

Saturday, January 08, 2011

firewall-wizards Digest, Vol 55, Issue 4

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: IPv6 (Darren Reed)
2. Re: IPv6 (Dave Piscitello)
3. Re: IPv6 (Paul Melson)


----------------------------------------------------------------------

Message: 1
Date: Fri, 07 Jan 2011 12:40:39 +1100
From: Darren Reed <darren.reed@oracle.com>
Subject: Re: [fw-wiz] IPv6
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <4D266F17.5090101@oracle.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Dave Piscitello wrote:
> ...
> Few organizations can deploy security measures for IPv6 today that are
> equivalent to what they have today with IPv4 across the board. And so
> far as I can tell from surveys and inquiries, (1) very few people are
> willing to make this trade off and (2) vendors are unwilling to
> implement IPv6 in this lame economy without a strong indication that
> they'll get a return on investment from the effort.

That is the point of why it needs to be someone like the US Government
and/or DoD saying "be available by IPv6 or you will get no work." It'll
force their all of suppliers/contractors to go to their vendors saying
"We need IPv6 capable stuff on the Internet. If you can't supply us, we
will go to someone who can/will."

Darren

------------------------------

Message: 2
Date: Fri, 07 Jan 2011 09:24:03 -0500
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] IPv6
To: Paul Melson <pmelson@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4D272203.3000609@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

Administrative nightmare aside, I agree it's possible and possibly
sustainable, perhaps while some governments heed Darren's advice and
mandates implementation:-)

It certainly seems like the majority of organizations are relying on
this to prove true.

Problems will only grow as some networks evolve from

"only IPv4" to
"v4 and v6, prefer v4" to
"v4 and v6, prefer v6" to
"only v6" (not in my lifetime or perhaps my childrens')

And I'm not only talking about routing/reachability here. Some of these
problems are currently seen in DNS implementations (stub and resolver
handling of responses) and servers (what people include in their zone
files and how OSs work, see this thread for a sample
http://www.tunnelbroker.net/forums/index.php?topic=747.0).

I am also not convinced that some 11th hour 59th minute "change of
heart" won't occur, and someone will convince the community of an
alternative course. A surprising number of class A's could be returned
to the allocation pool (Interop just returned one). Perhaps we'd do
better with Moskowitz's Host ID in the prolonged NAT'd world you
envision. I don't know enough about how this works to assert this but
Bob would. But I'm not certain that we really need to have statistically
publicly unique addresses for every device and RFID enable container,
either. This could prove to be the lazy path forward.

I say "lazy path forward" because at this point IPv6 is nearly 2 decades
old and arguably has less of a foothold than ISDN after the same time
span. Almost all of what was considered "innovation" is either enfolded
into IPv4 or proven to be less useful than imagined. I suspect a fair
number of right-thinking people are asking "is this the best we can do?
are we really only doing this because we are running out of addresses?"
I worry that we'll *only* get a bigger address space out of this
migration and that is a tragedy.

Sorry if I've rambled...

On 1/6/2011 7:00 PM, Paul Melson wrote:
> On Thursday, January 6, 2011, Dave Piscitello <dave@corecom.
>>
>> If ever the phrase "living on borrowed time" applied to the Internet, it
>> might be now. Many organizations are approaching a time when they may
>> have to accept a weaker security deployment in order to add systems
>> because they won't be able to obtain IPv4 addresses.
>
> Nah, RFC1918 reserved address spaces and NAT ensure ridiculous levels
> of internal scalability. It's an ugly administrative nightmare, but
> very much possible. And with the right public-facing services
> infrastructure, it's possible to obscure tens of thousands of servers
> behind a single IPv4 address. As an industry, we have yet to plumb
> the true depths of IP address space management. And until we do,
> where's the incentive to push for v6 adoption?
>
> PaulM
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNJyIDAAoJEDa3DI8IpP3/F2EH/0uWNekOd+M+MYRI84MS2bQv
d75B6JJm0bBp+1HRTgz+LZerExhHOftbX9eS9pwAI8Dem3mUPsxzL8a3dtkHlJU4
IkJniBlzXx+JY8mSaPOG1wE9MH4JwkoaNxx9ry5fffOBkLXG36fwRQtMsQrM9fox
i354w9EKx+iRWxk0xiF3k2SL3Xl0Z0rzblO00pCz2Tu1FuqlYZKuvJB6QTJmJFPe
90zw0UTnKApGNi02b6mGGSEvueset8DQb34EPivQ4geCLGOv1GbVnvjurTGFbeXj
zYwCvI223+kd8h1ZNCQ504zwU//h0Lr9CNKipqX5nWJq7Xw1R5rya4GdejVC6Fg=
=tqPI
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110107/96152fc7/attachment-0001.vcf>

------------------------------

Message: 3
Date: Thu, 6 Jan 2011 19:00:44 -0500
From: Paul Melson <pmelson@gmail.com>
Subject: Re: [fw-wiz] IPv6
To: "dave@corecom.com" <dave@corecom.com>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AANLkTikbbS2siMKV1jYJeQs6gg4yxS0Z-j1fWWV=8CP_@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Thursday, January 6, 2011, Dave Piscitello <dave@corecom.
>
> If ever the phrase "living on borrowed time" applied to the Internet, it
> might be now. Many organizations are approaching a time when they may
> have to accept a weaker security deployment in order to add systems
> because they won't be able to obtain IPv4 addresses.

Nah, RFC1918 reserved address spaces and NAT ensure ridiculous levels
of internal scalability. It's an ugly administrative nightmare, but
very much possible. And with the right public-facing services
infrastructure, it's possible to obscure tens of thousands of servers
behind a single IPv4 address. As an industry, we have yet to plumb
the true depths of IP address space management. And until we do,
where's the incentive to push for v6 adoption?

PaulM


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 55, Issue 4
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)