nanog mailing list archives

Re: IPV6 renumbering painless?

From: "Alexei Roudnev" <alex () relcom net>
Date: Sat, 13 Nov 2004 19:32:02 -0800


Btw  - using Solaris + no_stack_exec + old ssl - appear to be 100% secure
from all random attacks (it can be broken - in theory, see articles from
'Solar designer' - but it is absolutely inpractical for hacking). I watched
such system (absolutely not patched, with apache and openssl, untouched for
3 years - we kept it as a honeypot - no single exploit). And if you add  IP
filter + non standard port protects your 100% even if your service have
broken library.

As a result - it is safer to run old openssl + filter + solaris, vs running
SuSe linux + automated upgrade + unfiltered openssl. It is wekk known
thing - want best security - do not use anything standard, customize
everything.

So, step 1 - filter;  step 2 -customize; and step 3 - update. Just updates
without first 2 steps are much more dangerous, vs no updates but first 2
steps.

PS. Why is it in IPv6 thread?  And why IP filtering is broken? Even
primitive firewall can do enough p[rotection to make any random packets
useless.

----- Original Message ----- 
From: "Christopher L. Morrow" <christopher.morrow () mci com>
To: "Iljitsch van Beijnum" <iljitsch () muada com>
Cc: "Henning Brauer" <hb-nanog () bsws de>; <nanog () merit edu>
Sent: Saturday, November 13, 2004 7:09 PM
Subject: Re: IPV6 renumbering painless?


On Sat, 13 Nov 2004, Iljitsch van Beijnum wrote:

On 13-nov-04, at 10:02, Henning Brauer wrote:

Filtering based on IP addresses is a broken concept.

I'm not a huge fan of sprinkling crypto over everything, but if you
want certain people to have access to some stuff and not others,
IPsec/SSL are the way to go.


there are things putting random packets over the network today, trying to
exploit services you might be using, or your customers might be using.
IPSEC everywhere is 'nice' but not horribly practical. SSL is nice, until
your SSL libraries have remotely exploitable DoS or root
vulnerabilities... how many times over the last 12 months has openssl been
upgraded due to 'security' issues?

Current thread:

Re: IPV6 renumbering painless?, (continued)
- - - Re: IPV6 renumbering painless? Paul Vixie (Nov 12)
    - Re: IPV6 renumbering painless? Owen DeLong (Nov 12)
    - Re: IPV6 renumbering painless? Daniel Roesen (Nov 12)
    - Re: IPV6 renumbering painless? Owen DeLong (Nov 13)
    - Re: IPV6 renumbering painless? Henning Brauer (Nov 13)
    - Re: IPV6 renumbering painless? Henning Brauer (Nov 13)
    - Re: IPV6 renumbering painless? Iljitsch van Beijnum (Nov 13)
    - Re: IPV6 renumbering painless? Henning Brauer (Nov 13)
    - Re: IPV6 renumbering painless? Owen DeLong (Nov 13)
    - Re: IPV6 renumbering painless? Christopher L. Morrow (Nov 13)
    - Re: IPV6 renumbering painless? Alexei Roudnev (Nov 13)
    - Re: IPV6 renumbering painless? Christopher L. Morrow (Nov 12)
    - Re: Important IPv6 Policy Issue -- Your Input Requested Randy Bush (Nov 11)
    - Re: Important IPv6 Policy Issue -- Your Input Requested Iljitsch van Beijnum (Nov 11)
    - Re: Important IPv6 Policy Issue -- Your Input Requested Adi Linden (Nov 15)
    - Re: Important IPv6 Policy Issue -- Your Input Requested Iljitsch van Beijnum (Nov 15)
    - Re: Important IPv6 Policy Issue -- Your Input Requested Måns Nilsson (Nov 11)
    - Re: Important IPv6 Policy Issue -- Your Input Requested Randy Bush (Nov 11)
    - RE: Important IPv6 Policy Issue -- Your Input Requested Tony Hain (Nov 11)
    - Re: Important IPv6 Policy Issue -- Your Input Requested Leo Bicknell (Nov 11)
    - Re: Important IPv6 Policy Issue -- Your Input Requested Joe Abley (Nov 11)

(Thread continues...)