[170172] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (hslabbert@stargate.ca)
Mon Mar 24 21:35:23 2014
Date: Mon, 24 Mar 2014 10:36:46 -0700
From: hslabbert@stargate.ca
To: nanog@nanog.org
In-Reply-To: <9578293AE169674F9A048B2BC9A081B4B54220DA@MUNPRDMBXA1.medline.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--EeQfGwPcQSOJBaQU
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2014-03-24, "Naslund, Steve" <SNaslund@medline.com> wrote:
>If they have a stateful IPv6 firewall (which they should and which most fi=
rewall vendors support), they already have what they need to prevent their =
internal systems from being accessible from the outside. If you are an ent=
erprise and you don't have a stateful firewall, you are in trouble from a s=
ecurity standpoint whether you run v4 or v6. If you cannot configure a sta=
teful firewall to block connections being initiated from outside, you are n=
ot qualified to be working with the firewall, v4 or v6 does not matter. If=
someone is relying on NAT in case their firewall is misconfigured, they ha=
ve major issues with security.
>
>In the home, I am not sure what the major issue is there either. How many=
CPE devices have you seen that do not implement basic firewall functionali=
ty? People may not use them correctly but that is no more an issue with v6=
than it is with v4. Most CPE even comes out of the box blocking inbound c=
onnections by default.
Tell that to our little D-Link AP/router with stateless filters only for v6=
,=20
and broken config options that make it impossible to apply even that to a=
=20
tunnel interface (HE).
I agree with you on pushing v6 adoption and that the at the root of it you=
=20
should have a stateful firewall be it v4 or v6, but:
- if this thread is any indication and as per your first paragraph, way too=
=20
many orgs are depending on NAT as a security feature and v6 is exposing t=
hat=20
weakness in their posture
- home CPE implementations are largely crap, and good luck getting a decent=
=20
portion of them supporting (functional) stateful v6 firewalls
>
>Steve
>
--
Hugo
>
>-----Original Message-----
>From: Mark Tinka [mailto:mark.tinka@seacom.mu]
>Sent: Monday, March 24, 2014 11:35 AM
>To: Timothy Morizot
>Cc: NANOG list
>Subject: Re: misunderstanding scale
>
>
>>>Don't disagree with you there.
>
>>>I'm saying many an enterprise (small and large) as well as homes operate=
this way. There is a lot of unlearning to do.
>
>>>The whole issue is that a number of enterprises "may" only feel safe if =
IPv6 comes with NAT66, probably on top (or not on top) of a stateful IPv6 f=
irewall.
>
>>>We need to think about how to re-train the enterprise, if we don't want =
to repeat the erasure of the end-to-end model, second time around.
>
>>>Mark.
>
--=20
Hugo Slabbert
Network Specialist
Phone: 604.606.4448
Email: hslabbert@stargate.ca
=20
Stargate Connections Inc.
http://www.stargate.ca
--EeQfGwPcQSOJBaQU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTMG0pAAoJEDwdXPtzuaMpuvUQAJ9w0CDObZu+hIdL2n3nJD+s
gc7xPJVQh17hHThNSB/GfvjXXDYdREQYsDEGujasJKKV/sImoCJTjKdk7DdpleHC
EVEZfBta+UGc2ZAF+ib8HUD/lEPVbHLs0LrpfZtnk7liSReHerFeCUQaxMG9BpNu
2lrO8yeEGNZZ9mD7yT2SmaLQmZkFXozyG5tKA+rY2CjlDFcnDn/ZFwy54QX1HEz+
nfMrRXLM4JOOiK2h/NT4RvcnEE9tjiP/mttUDmH0H/53WDue6olBbcfDrJRYJo4i
lm8Yin/DxXXjR4uWZsL48FZ7KKWdevQRaMlCJ2miEgHTYa0s6I3IwYHjARFOiFpP
oFOOMlyhy5v4IWrigJZWWYVhdd3P5ugvLwczol0V4maIu5G6Rxgrs2Bo8Mftih0p
ZD+CngI98eSdQUlKZb0eVbNO+bc/5lK3Oj8Q80RtWH+jCI/4CNJdvrCXHv2bo06p
4i7fDEO4/z8h+N+tjCa41b4Z8aG5JSPwktWJ8vwrR8RNVCYBFdq/oAcbzRJ0A0NJ
aTIuq+IRcdZ7RgLdBgWhy2Cn9kSAJhdyXc1m5JT64ahRZb7fcS1F4XgC6qL5zF6h
eJCHM0angxWkv0mGXlPgz31S7zEt4cIWeZveAJ6hrAbnCOBU5FDPJHnHLtu9BWwV
teuYJMPQZiKEzsu5jvRI
=bSkR
-----END PGP SIGNATURE-----
--EeQfGwPcQSOJBaQU--
