[170195] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Mar 24 22:21:30 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <201403240838.27974.mark.tinka@seacom.mu>
Date: Mon, 24 Mar 2014 19:15:55 -0700
To: mark.tinka@seacom.mu
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 23, 2014, at 11:38 PM, Mark Tinka <mark.tinka@seacom.mu> wrote:
> On Sunday, March 23, 2014 09:35:31 PM Denis Fondras wrote:
>=20
>> When speaking of IPv6 deployment, I routinely hear about
>> host security. I feel like it should be stated that this
>> is *in no way* an IPv6 issue. May the device be ULA,
>> LLA, GUA or RFC1918-addressed, the device is at risk
>> anyway.
>>=20
>> If this is the only argument for delaying IPv6
>> deployment, this sounds more like FUD to me ;-)
>=20
> I guess it's no surprise that host security is not an IPv4=20
> or IPv6 issue.
>=20
> It's just that with IPv4, the majority of unclean and=20
> unupdated hosts have been living behind NAT44.
>=20
> In an ideal IPv6 world, all hosts have GUA's, and in this=20
> case, host security becomes a bigger problem, because now=20
> the host is directly accessible without a NAT66 in between=20
> (we hope).
>=20
> Mark.
Bzzzt=85 But thanks for playing.
An IPv6 host with a GUA behind a stateful firewall with default deny is =
every bit as secure as an iPv4 host with an RFC-1918 address behind a =
NAT44 gateway.
Owen
