[170218] in North American Network Operators' Group
RE: misunderstanding scale
daemon@ATHENA.MIT.EDU (Alexander Lopez)
Tue Mar 25 01:28:13 2014
From: Alexander Lopez <alex.lopez@opsys.com>
To: "Naslund, Steve" <SNaslund@medline.com>
Date: Tue, 25 Mar 2014 05:25:31 +0000
In-Reply-To: <9578293AE169674F9A048B2BC9A081B4B5422604@MUNPRDMBXA1.medline.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> -----Original Message-----
> From: Naslund, Steve [mailto:SNaslund@medline.com]
> Sent: Monday, March 24, 2014 10:48 PM
> To: Owen DeLong; mark.tinka@seacom.mu
> Cc: nanog@nanog.org
> Subject: RE: misunderstanding scale
>=20
> Look at it this way. If I see an attack coming from behind your NAT, I'm=
gonna
> deny all traffic coming from your NAT block until you assure me you have =
it
> fixed because I have no way of knowing which host it is coming from. Now
> your whole network is unreachable. If you have a compromised GUA host I
> can block only him. Better for both of us, no?
That is assuming that the infected piece does not request another address i=
n the /64, and that the person blocking at the target end blocks a /128 ins=
tead of the /64.
>=20
> How about a single host spamming behind your NAT blocking your entire
> corporate public network from email services? Anyone ever see that one.
> Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal
> with that.
I don't want to try to even think about SMTP on IPv6. Reputation of email s=
ervers as well as the whole thought process of spam control rely on a list =
of IP address.
IPv6 adds an entirely new aspect to it.
>=20
> Maybe GUAs will convince (scare) more enterprise users to actually treat =
the
> internal network as an environment that needs to be secured as well. We
> can only hope.
>=20
Most enterprise admins, segment their BYOD (wifi) network from the producti=
on network. Some will even use a different WAN ip for the wifi network or i=
n the minimum block outbound request to well known services ports.
I generally see where the only outbound connections allowed are http and ht=
tps. All other ports are blocked.
> Steven Naslund
>=20
>=20
> >>Bzzzt... But thanks for playing.
>=20
> >>An IPv6 host with a GUA behind a stateful firewall with default deny is
> every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT=
44
> gateway.
I can't argue there.....
>=20
> >>Owen
>=20
>=20
