[167169] in North American Network Operators' Group
Re: AT&T UVERSE Native IPv6, a HOWTO
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Dec 2 22:10:19 2013
From: Owen DeLong <owen@delong.com>
In-Reply-To: <op.w7hurezttfhldh@rbeam.xactional.com>
Date: Mon, 2 Dec 2013 19:02:39 -0800
To: Ricky Beam <jfbeam@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 2, 2013, at 18:05 , Ricky Beam <jfbeam@gmail.com> wrote:
> On Mon, 02 Dec 2013 20:18:08 -0500, Owen DeLong <owen@delong.com> =
wrote:
>> You don't, but it's easy enough for Windows to do discovery and/or =
negotiation for firewall holes with multicast and avoid making
> ...
>=20
> Actually, your process still makes a very dangerous assumption... you =
have to assume the address passed via multicast is, in fact, a local =
address. Since it is necessarily outside your prefix, you have to =
either make assumptions about what is "close" to your prefix -- assumes =
the site is contiguous, or trust any address passed to you. Hackers =
will have fun screwing up your firewall rules and potentially breaking =
into your servers. (if you're foolish enough to not have any other =
layers in your network, which is likely with home networks.)
>=20
Not really... First of all, domain or other windows authentication could =
be used to validate the request.
Second, if it's site-scope multicast, unless both your ISP _AND_ your =
own router are doing something wrong, it shouldn't get forwarded into =
your site from outside.
>> ... They can't get away with flat out saying no...
>=20
> Says who? TWC has been saying "no" for years. (unless I'm mistaken, =
"always".)
No, they've said "get a business connection." Close to "no", but not =
identical.
Owen
