[170122] in North American Network Operators' Group
RE: misunderstanding scale
daemon@ATHENA.MIT.EDU (Naslund, Steve)
Mon Mar 24 13:02:13 2014
From: "Naslund, Steve" <SNaslund@medline.com>
To: "mark.tinka@seacom.mu" <mark.tinka@seacom.mu>, Timothy Morizot
<tmorizot@gmail.com>
Date: Mon, 24 Mar 2014 16:53:47 +0000
In-Reply-To: <201403241835.19186.mark.tinka@seacom.mu>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
If they have a stateful IPv6 firewall (which they should and which most fir=
ewall vendors support), they already have what they need to prevent their i=
nternal systems from being accessible from the outside. If you are an ente=
rprise and you don't have a stateful firewall, you are in trouble from a se=
curity standpoint whether you run v4 or v6. If you cannot configure a stat=
eful firewall to block connections being initiated from outside, you are no=
t qualified to be working with the firewall, v4 or v6 does not matter. If =
someone is relying on NAT in case their firewall is misconfigured, they hav=
e major issues with security.
In the home, I am not sure what the major issue is there either. How many =
CPE devices have you seen that do not implement basic firewall functionalit=
y? People may not use them correctly but that is no more an issue with v6 =
than it is with v4. Most CPE even comes out of the box blocking inbound co=
nnections by default.
Steve
-----Original Message-----
From: Mark Tinka [mailto:mark.tinka@seacom.mu]=20
Sent: Monday, March 24, 2014 11:35 AM
To: Timothy Morizot
Cc: NANOG list
Subject: Re: misunderstanding scale
>>Don't disagree with you there.
>>I'm saying many an enterprise (small and large) as well as homes operate =
this way. There is a lot of unlearning to do.
>>The whole issue is that a number of enterprises "may" only feel safe if I=
Pv6 comes with NAT66, probably on top (or not on top) of a stateful IPv6 fi=
rewall.
>>We need to think about how to re-train the enterprise, if we don't want t=
o repeat the erasure of the end-to-end model, second time around.
>>Mark.
