[127984] in North American Network Operators' Group
Re: Looking for comments
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jul 21 23:38:46 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTim0YB8EYrl2SsxQYjv5Xc6ZTqZDtpMT4M2RxqBN@mail.gmail.com>
Date: Wed, 21 Jul 2010 20:37:12 -0700
To: William Herrin <bill@herrin.us>
Cc: NANOG list <nanog@nanog.org>,
Brian E Carpenter <brian.e.carpenter@gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>
>
> There is a third major challenge to dual-stack that isn't addressed in
> the document: differing network security models that must deliver the
> same result for the same collection of hosts regardless of whether
> Ipv4 or v6 is selected. I can throw a COTS d-link box with
> address-overloaded NAT on a connection and have reasonably effective
> network security and anonymity in IPv4. Achieving comparable results
> in the IPv6 portion of the dual stack on each of those hosts is
> complicated at best.
>
Actually, it isn't particularly hard at all... Turn on privacy addressing
on each of the hosts (if it isn't on by default) and then put a linux
firewall in front of them with a relatively simple ip6tables configuration
for outbound only.
(The linux firewall could be as simple as a WRT-54G running
dd-wrt or such).
Owen
