[101428] in North American Network Operators' Group
Re: Assigning IPv6 /48's to CPE's?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Jan 4 00:12:00 2008
To: William Herrin <herrin-nanog@dirtside.com>
Cc: Rick Astley <jnanog@gmail.com>, nanog@merit.edu
In-Reply-To: Your message of "Thu, 03 Jan 2008 10:17:37 EST."
<3c3e3fca0801030717w43ab681fp33c1cc0d116d36e0@mail.gmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 03 Jan 2008 23:57:49 -0500
Errors-To: owner-nanog@merit.edu
--==_Exmh_1199422669_4991P
Content-Type: text/plain; charset=us-ascii
On Thu, 03 Jan 2008 10:17:37 EST, William Herrin said:
> In my ever so humble opinion, IPv6 will not reach significant
> penetration at the customer level until NAT has been thoroughly
> implemented. Corporate information security officers will insist.
> Here's the thing: a stateful non-NAT firewall is automatically less
> secure than a stateful translating firewall. Why? Because a mistake
> configuring a NAT firewall breaks the network causing everything to
> stop working while a mistake with a firewall that does no translation
> causes data to flow unfiltered. Humans being humans, mistakes will be
> made. The first failure mode is highly preferable.
Which is why, if your site has an *actual* clue, the deployed hosts *also*
have their own iptables/ipfilters/whatever-windows-calls-it rulesets that
say what hosts are allowed to talk to them. So on the server, I can do:
ip6tables -A tcp-in -s ! 2001:468:c80/48 -p tcp --dport 22 -j DROP
Now, even if our firewall guys fumble-finger something, I won't get
SSH connections coming in from outside AS1312.
Of course, I can't talk about business pressures from customers that have
incompetent security officers that don't understand stuff like multiple
layers of defense...
--==_Exmh_1199422669_4991P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFHfbzNcC3lWbTT17ARApkrAKD1iDsiQexF1fJ+f63UFp+G2rvHXgCffqcb
s0mfEwjFJGfJ/yza66XK+aU=
=P+S3
-----END PGP SIGNATURE-----
--==_Exmh_1199422669_4991P--
