[184539] in North American Network Operators' Group
Re: /27 the new /24
daemon@ATHENA.MIT.EDU (tim@pelican.org)
Wed Oct 7 10:20:32 2015
X-Original-To: nanog@nanog.org
Date: Wed, 7 Oct 2015 15:18:11 +0100 (BST)
From: "tim@pelican.org" <tim@pelican.org>
To: nanog@nanog.org
In-Reply-To: <7556F5B2-A9CF-4654-893E-007312C2B4EC@delong.com>
Errors-To: nanog-bounces@nanog.org
On Wednesday, 7 October, 2015 12:54, "Owen DeLong" <owen@delong.com> said:=
=0A=0A> There are some important differences for ICMP (don=E2=80=99t break =
PMTU-D or ND),=0A> but otherwise, really not much difference between your I=
Pv4 security policy and=0A> your IPv6 security policy.=0A=0AThe IPv4 world =
would have been nicer without quite so much of the "ICMP is eeeeeeeeevil!" =
nonsense, but agreed, it's somewhat more fundamental in IPv6.=0A=0A> In fac=
t, on my linux box, I generate my IPv4 iptables file using little more than=
=0A> a global search and replace on the IPv6 iptables configuration which r=
eplaces the=0A> IPv6 prefixes/addresses with the corresponding IPv4 prefixe=
s/addresses. (My IPv6=0A> addresses for things that take incoming connectio=
ns have an algorithmic map to=0A> IPv4 addresses for things that have them.=
)=0A=0ASimilarly for at least some supplied tools on top of iptables. 'ufw=
' Just Works with both - 'ufw allow 25/tcp' will insert the appropriate rul=
e into both iptables and ip6tables, for example.=0A=0ARegards,=0ATim.=0A
