[ipv6hackers] Pros and Cons of Address Randomization

Beat Rubischon beat at 0x1b.ch
Mon Dec 10 08:57:38 CET 2012


Hello!

I follow your discussion with a lot of interest. One point I like to
mention is the fact we still need IPv4 for ages on our LANs and a lot of
interesting concepts provided by IPv6 are meaningless until we have pure
IPv6 only networks. Dual stack is still the only possibility to keep
compatibility to the existing internet. I played with NAT-PT, TRT and
totd and it's still a big hack, nothing I would implement in a
production environment. There is simply no useful backward compatibility
built in, something which was pointed out by DJB years ago [1]. No, I
don't like his fatalism, but this article contains stuff I'm able to assist.

	[1] http://cr.yp.to/djbdns/ipv6mess.html

Is address randomization really a solution to convince our CEOs to the
expose of their personal PC addresses to the world? I'm pretty unsure.
At least my CEO wouldn't accept this fact.

In the meantime a lot of good stuff in IPv6 was already killed. There is
DHCPv6 to provide "static" addresses to the clients - which killed the
great feature of announcing multiple prefixes and routers to a subnet.
There are PI networks - they killed the hierarchical routing concept
which would save a lot of memory in the large border routers. And there
are gazillions of firewalls preventing end to end connections - why
should we allow end to end by the network protocol when mostly everybody
kills it with more or less broken firewalls?

Applications will have to handle connection refused even in the IPv6
world. And they will need ways to workaround these problems.

So lets kill end to end connectivity. Invent NATv6 and allow the
millions of networks to operate the same way as in the IPv4 world. Yes,
I know NATv6 is a bad word and most readers here will pick up their
flame thrower. I would never accept it in networks operated by myself.
But I see it as the only possibility to migrate millions of SOHO networks.

On 04.12.12 22:40, Victor Roemer wrote:
> Justifying security through obscurity simply because zebra's have stripes,
> that is funny.

Well, Zebras are herd animals. It could happen that an individual one is
killed by a lion, but the species will survive. I learned that computers
should be handled the same way. Loosing one shouldn't be a problem as
long as you have others ;-)

Beat

-- 
     \|/                           Beat Rubischon <beat at 0x1b.ch>
   ( 0-0 )                             http://www.0x1b.ch/~beat/
oOO--(_)--OOo---------------------------------------------------
Meine Erlebnisse, Gedanken und Traeume: http://www.0x1b.ch/blog/



More information about the Ipv6hackers mailing list