[149928] in North American Network Operators' Group
Re: Common operational misconceptions
daemon@ATHENA.MIT.EDU (Ridwan Sami)
Thu Feb 16 21:36:02 2012
Date: Thu, 16 Feb 2012 21:35:03 -0500
From: Ridwan Sami <rms2176@columbia.edu>
To: nanog@nanog.org
In-Reply-To: <CAJ0NkqhMpcrucK7twUYAX7FMzkF4ZoJX3cV5gLA36o5O-yBUJw@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
End user devices will not benefit from end-to-end connectivity (e.g., =20
globally routeable IPv4 addresses as opposed to being in a RFC1918 =20
space behind NAT).
If I have a wildcard DNS record, *.example.edu AAAA 2001:db8::5, then =20
adding in an explicit record, x.example.edu AAAA 2001:db8::5, will =20
make no visible difference.
There is no legitimate reason for a user to use BitTorrent (someone =20
will probably disagree with this).
Our organization is not running out of IPv4 addresses so we don't need =20
IPv6. (Similarly: Our orginization is running out of IPv4 addresses so =20
that's why we need IPv6.)
I can't use IPv6 because I still need to serve IPv4 clients.
Any IP that starts with 192 is a private IP and any IP that starts =20
with 169 is a self-assigned.
Authentication by client IP address alone is sufficient.
Long passwords requiring letters, numbers, and symbols with a =20
no-repeat policy and a 90-day maximum password age are very secure.
+1 for "We should drop all ICMP(v6) traffic." (Related: "I can't ping =20
the box so it must be down.")
+1 for "NAT is security".
Regarding "DNS only uses UDP", I give out a technical test during =20
interviews and one of the questions is basically "Use iptables to =20
block incoming DNS traffic" and all applicants so far have only =20
blocked UDP port 53.
