This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/address-policy-wg@ripe.net/
[address-policy-wg] Re: IPv6 addresses really are scarce after all
- Previous message (by thread): [address-policy-wg] RE: IPv6 addresses really are scarce after all
- Next message (by thread): [address-policy-wg] RE: IPv6 addresses really are scarce after all
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Keith Moore
moore at cs.utk.edu
Sun Aug 26 20:32:24 CEST 2007
subnets have proven to a useful tool in the past, and may prove so again in the future, even if the reasons for future use are different than those for past and present use. I don't see why we should constrain the network architecture to deny use of this tool to ordinary users. Keith >> Assume we agree on the needed functionality. It is hard to >> disagree and many of us have seen the need to isolate some >> people and apparatus from others, and to assign different >> capability to them, for many years. >> > > People want security, and the threats that Michael mention are real: > children spying on the parent's traffic, guests abusing the access to do > something illegal on the Internet. But subnets are not a particularly > efficient way of solving these threats. > > Take the issue of guests abusing the privilege and engaging in illegal > action. The concrete risk is that men in black will knock at your door > and ask about said actions. Picture yourself arguing that "it obviously > wasn't me, because the packets come from the network that I provide to > my guests". The men in black will not be impressed, since you obviously > have access to all the networks in your house. Your only defense will be > to rat a specific guest, supposing of course that you are so enclined. > Subnet or no subnet will no help you do that. Access control and logs > will help, but these are not tied to subnets. > > Consider then the attacks between computers on the same network. Michael > mentioned traffic snooping. But modern Wi-Fi network are protected > against that already. They negotiate different per-session keys. Even in > promiscuous mode, the Wi-Fi card does not see the unicast traffic of the > other stations in the network. In home networks, the key is derived from > an initial 4-ways handshake, secured by a pass-phrase. Most deployments > use a single pass-phrase today, so teenagers could indeed develop tools > to crack the exchange. But nothing prevents using different pass-phrases > for different group of users. > > The other risk are the active attacks between connected computers. > However, as John pointed out, there is lot of demand for connectivity > between computers in the home. Many people have tried to engineer > network topologies that follow organization or authorization boundaries, > but the mostly that makes your network expensive to run without really > solving the issues. > > Also, ultimately, all forms of topology based control rely on the > security of the home router. Do you really believe that a teenager who > is clever enough to hack into Wi-Fi access protections will not also be > able to hack into the home router? > > If we want actual protection, it is probably much easier to use end to > end security. And in your own house, you might consider forms of social > control, as in "OK, you hacked my computer, give me the keys of your > car..." > > Frankly, I don't see users managing subnets any time soon. > > -- Christian Huitema > > > > > > > > > _______________________________________________ > Ietf mailing list > Ietf at ietf.org > https://www1.ietf.org/mailman/listinfo/ietf >
- Previous message (by thread): [address-policy-wg] RE: IPv6 addresses really are scarce after all
- Next message (by thread): [address-policy-wg] RE: IPv6 addresses really are scarce after all
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]