Home page logo
/

nanog logo nanog mailing list archives

Re: Private port numbers?
From: "Crist Clark" <crist.clark () globalstar com>
Date: Thu, 14 Aug 2003 11:41:25 -0700


Lars Higham wrote:

It's a good idea, granted, but isn't this covered by IPv6 administrative
scoping?

That's the network layer, not the transport layer. IPv6 scoping has the 
potential to be very helpful for private addressing since it's fundamentally
built into the protocol, as opposed to RFC1918 addresses which are just 
kinda an afterthought. This means that, by default, vendor products should
DTRT with respect to scoped addresses, and administrators have more 
effective tools.

However, giving administrators more tools is not always a good thing. I
fully expect to see the clueless, the same people who don't filter 
RFC1918 spoofs at their border now, open up their border routers to let in
privately scoped addresses from the outside world. And I expect there will
be ISPs that let privately scoped addresses pass over their networks 'cause
some clueless customers, with $$$ contracts, want to pass the traffic between
different sites. And some vendors will ship with bad defaults and bugs.

So, I expect private networks with global connectivity (kind of an oxymoron,
but you know what I mean) will be easier to set up and set up more securely
with IPv6. But it's no magic bullet. There will be some brilliant fools out
there who manage to shoot themselves in the foot. That problem will never
go away. Unfortunately, besides shooting themselves, these people cause
some collateral damage too (just like this worm that started the discussion).

We'll have to wait until IPv6 is widely deployed to really see how all of
that works out.
-- 
Crist J. Clark                               crist.clark () globalstar com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]