RFC 1675 (rfc1675) - Page 1 of 4
Security Concerns for IPng
Alternative Format: Original Text Document
Network Working Group S. Bellovin
Request for Comments: 1675 AT&T Bell Laboratories
Category: Informational August 1994
Security Concerns for IPng
Status of this Memo
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.
Abstract
This document was submitted to the IETF IPng area in response to RFC
1550. Publication of this document does not imply acceptance by the
IPng area of any ideas expressed within. Comments should be
submitted to the mailing list.
Overview and Rationale
A number of the candidates for IPng have some features that are
somewhat worrisome from a security perspective. While it is not
necessary that IPng be an improvement over IPv4, it is mandatory that
it not make things worse. Below, I outline a number of areas of
concern. In some cases, there are features that would have a
negative impact on security if nothing else is done. It may be
desirable to adopt the features anyway, but in that case, the
corrective action is mandatory.
Firewalls
For better or worse, firewalls are very much a feature of today's
Internet. They are not, primarily, a response to network protocol
security problems per se. Rather, they are a means to compensate for
failings in software engineering and system administration. As such,
firewalls are not likely to go away any time soon; IPng will do
nothing to make host programs any less buggy. Anything that makes
firewalls harder to deploy will make IPng less acceptable in the
market.
Firewalls impose a number of requirements. First, there must be a
hierarchical address space. Many address-based filters use the
structure of IPv4 addresses for access control decisions.
Fortunately, this is a requirement for scalable routing as well.
Bellovin