[127990] in North American Network Operators' Group
Re: Looking for comments
daemon@ATHENA.MIT.EDU (William Herrin)
Thu Jul 22 03:50:28 2010
In-Reply-To: <23B64BD6-BEDE-4A5B-A37D-81E65D36D2D4@delong.com>
From: William Herrin <bill@herrin.us>
Date: Wed, 21 Jul 2010 21:49:40 -1000
To: Owen DeLong <owen@delong.com>
Cc: NANOG list <nanog@nanog.org>,
Brian E Carpenter <brian.e.carpenter@gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jul 21, 2010 at 5:37 PM, Owen DeLong <owen@delong.com> wrote:
>>> http://tools.ietf.org/html/draft-arkko-ipv6-transition-guidelines
>> There is a third major challenge to dual-stack that isn't addressed in
>> the document: differing network security models that must deliver the
>> same result for the same collection of hosts regardless of whether
>> Ipv4 or v6 is selected. I can throw a COTS d-link box with
>> address-overloaded NAT on a connection and have reasonably effective
>> network security and anonymity in IPv4. Achieving comparable results
>> in the IPv6 portion of the dual stack on each of those hosts is
>> complicated at best.
>>
> Actually, it isn't particularly hard at all... Turn on privacy addressing
> on each of the hosts (if it isn't on by default) and then put a linux
> firewall in front of them with a relatively simple ip6tables configuratio=
n
> for outbound only.
>From the lack of dispute, can I infer agreement with the remainder of
my comments wrt mitigations for the "one of my addresses doesn't work"
problem and the impracticality of the document's section 4.3 and 4.4
for wide scale Ipv6 deployment?
Regards,
Bill Herrin
--=20
William D. Herrin ................ herrin@dirtside.com=A0 bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
