[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Enterprise Analysis DSTM Issue
On Thu, 11 Aug 2005, Tim Chown wrote:
There's some overlap betweeen DSTM and conventional dual stack in this
discussion. I'm saying that some (UK) people have mentioned to me that they
do not want to run dual-stack because they believe it adds complexity to
security, and thus would want to run IPv6 only, or at least IPv6-only network
infrastructure. Given the latter, if they have some dual-stack hosts,
something DSTM-like in functionality may be required. They are also
evaluating NAT-PT, etc in light of this.
The concern expressed was the fact that two protocols are in use, and both
need to be secured, mainly with consistent policies and with some IPv6
So, if I get this correctly, the fear is about attacks on the
network infrastructure (routers, etc.), not on the end hosts ?
Because as long as you WILL have v6 connectivity through [v4-in-v6
tunneling] on the end hosts, you will STILL have the same security
problems? You've just shifted them around to a different place in the
But if the assumption is that an enterprise/university could run
entirely v6-only core (routers, switches, what have you, without
[v4-in-v6 tunneling] for their management or whatever), yes, there
might be small differences.
My assumption has always been that the network admins should be
capable of secuiring the routers, switches, etc. properly (in any
case, the same degree they could do so with v6), but maybe my optimism
isn't shared everywhere..
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings