[170221] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Mar 25 02:03:20 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAK__KzvnHbPjcps5HHmwpbQvkM=w79U2gh=TRE6s=o_YFU_BtA@mail.gmail.com>
Date: Mon, 24 Mar 2014 23:02:16 -0700
To: George Herbert <george.herbert@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 24, 2014, at 8:52 PM, George Herbert <george.herbert@gmail.com> =
wrote:
>=20
>=20
>=20
> On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong <owen@delong.com> wrote:
>=20
> On Mar 24, 2014, at 9:21 AM, William Herrin <bill@herrin.us> wrote:
>=20
> > On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve =
<SNaslund@medline.com> wrote:
> >> I am not sure I agree with the basic premise here. NAT or Private =
addressing does not equal security.
> >
> > Hi Steve,
> >
> > It is your privilege to believe this and to practice it in the
> > networks you operate.
> >
> > Many of the folks you would have deploy IPv6 do not agree. They take
> > comfort in the mathematical impossibility of addressing an internal
> > host from an outside packet that is not part of an ongoing session.
> > These folks find that address-overloaded NAT provides a valuable
> > additional layer of security.
>=20
> Which impossibility has been disproven multiple times.
>=20
> > Some folks WANT to segregate their networks from the Internet via a
> > general-protocol transparent proxy. They've had this capability with
> > IPv4 for 20 years. IPv6 poorly addresses their requirement.
>=20
> Actually, there are multiple implementations of transparent proxies =
available
> for IPv6. NAT isn=92t the same thing at all.
>=20
> If you want to make your life difficult in IPv6, you can. Nobody =
prevents you from
> doing so. It is discouraged and non-sensical, but quite possible at =
this point.
>=20
> Owen
>=20
>=20
>=20
> Right. fc00::/7 exists. If you want to emulate your internal use of =
10.0.0.0/8 plus NAT (or, proxies or load balancers or whatever) in your =
IPv6 implementation go ahead. Putting in some robust filtering that if =
the fc00::/7 ever appears outside the internal gateway the traffic goes =
poof should be as easy as the equivalents for 10, 172.16, 192.168 =85
More accurately fd00::/8. fc00::/8 was reserved for ULA coordinated =
which failed to gain consensus. While IETF did set aside the /7, only =
fd00::/8 has a legitimate documented purpose.
Owen
