I was reading a number of the recent Usenix papers on IPv6 transition, and the one thing that sparked a thought was the fact that there really is no "RFC 1918" space in the IPv6 world. I was wondering how many security architectures have a fundamental assumption that "you can’t get there from here"? I know that I use a NAT firewall and private address space as a main aspect of my security architecture, but when I move to IPv6, that will be gone. This does not mean that I will be more vulnerable, as a properly configured firewall will restrict traffic. However, I will have to be more purposeful in blocking traffic, where as now, I rely on a default that it just can’t be done.
Just some food for thought.
Phil
No comments:
Post a Comment