[127995] in North American Network Operators' Group
Re: Looking for comments
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Jul 22 09:04:31 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTikV8eDzJdgnbQZi647283a7Ixlzj1zibN8GX2kK@mail.gmail.com>
Date: Thu, 22 Jul 2010 06:02:04 -0700
To: William Herrin <bill@herrin.us>
Cc: NANOG list <nanog@nanog.org>,
Brian E Carpenter <brian.e.carpenter@gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 22, 2010, at 12:49 AM, William Herrin wrote:
> On Wed, Jul 21, 2010 at 5:37 PM, Owen DeLong <owen@delong.com> wrote:
>>>> http://tools.ietf.org/html/draft-arkko-ipv6-transition-guidelines
>>> There is a third major challenge to dual-stack that isn't addressed in
>>> the document: differing network security models that must deliver the
>>> same result for the same collection of hosts regardless of whether
>>> Ipv4 or v6 is selected. I can throw a COTS d-link box with
>>> address-overloaded NAT on a connection and have reasonably effective
>>> network security and anonymity in IPv4. Achieving comparable results
>>> in the IPv6 portion of the dual stack on each of those hosts is
>>> complicated at best.
>>>
>> Actually, it isn't particularly hard at all... Turn on privacy addressing
>> on each of the hosts (if it isn't on by default) and then put a linux
>> firewall in front of them with a relatively simple ip6tables configuration
>> for outbound only.
>
>> From the lack of dispute, can I infer agreement with the remainder of
> my comments wrt mitigations for the "one of my addresses doesn't work"
> problem and the impracticality of the document's section 4.3 and 4.4
> for wide scale Ipv6 deployment?
>
No, merely resignation to the fact that you don't get it.
Owen
