To:
"'Keith Moore'" <moore@cs.utk.edu>, "Hallam-Baker, Phillip" <pbaker@verisign.com>
Cc:
"'Randy Bush'" <randy@psg.com>, alh-ietf@tndh.net, ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
"Hallam-Baker, Phillip" <pbaker@verisign.com>
Date:
Thu, 9 Aug 2001 08:15:19 -0700
Sender:
owner-dnsop@cafax.se
Subject:
RE: (ngtrans) Joint DNSEXT & NGTRANS summary
> Understood. But very little of that security benefit is > really due to NAT; most of it is due to the fact that > connections have to be initiated from within. That's > certainly an artifact of NAT (actually NAPT) but it can > be done just as easily without translating addresses. Unfortunately the problem with anything labelled 'security' is that once it is installed it is practically impossible to shift. We still have people who refuse to countenance moving from DES which has been broken in practice to AES because they don't know how secure AES will prove... well duuhh, it ain't gonna be worse than DES. So we give them 3DES rather than argue. Co-opting the NAT box as you suggest to become a 6 to 4 type box is the real answer. Wishing they will go away is simply futile. Phill
Phillip Hallam-Baker (E-mail).vcf