nanog mailing list archives
Re: Assigning IPv6 /48's to CPE's?
From: Valdis.Kletnieks () vt edu
Date: Thu, 03 Jan 2008 23:57:49 -0500
On Thu, 03 Jan 2008 10:17:37 EST, William Herrin said:
In my ever so humble opinion, IPv6 will not reach significant penetration at the customer level until NAT has been thoroughly implemented. Corporate information security officers will insist. Here's the thing: a stateful non-NAT firewall is automatically less secure than a stateful translating firewall. Why? Because a mistake configuring a NAT firewall breaks the network causing everything to stop working while a mistake with a firewall that does no translation causes data to flow unfiltered. Humans being humans, mistakes will be made. The first failure mode is highly preferable.
Which is why, if your site has an *actual* clue, the deployed hosts *also* have their own iptables/ipfilters/whatever-windows-calls-it rulesets that say what hosts are allowed to talk to them. So on the server, I can do: ip6tables -A tcp-in -s ! 2001:468:c80/48 -p tcp --dport 22 -j DROP Now, even if our firewall guys fumble-finger something, I won't get SSH connections coming in from outside AS1312. Of course, I can't talk about business pressures from customers that have incompetent security officers that don't understand stuff like multiple layers of defense...
Attachment:
_bin
Description:
Current thread:
- Re: Assigning IPv6 /48's to CPE's?, (continued)
- Re: Assigning IPv6 /48's to CPE's? Donald Stahl (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Chris Adams (Jan 03)
- RE: Assigning IPv6 /48's to CPE's? michael.dillon (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Mark Andrews (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Donald Stahl (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? William Herrin (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Tim Franklin (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? William Herrin (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Mark Smith (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? Vinny Abello (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Valdis . Kletnieks (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Rick Astley (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? James Hess (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? Valdis . Kletnieks (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? Jeff Aitken (Jan 07)
- Re: Assigning IPv6 /48's to CPE's? Valdis . Kletnieks (Jan 07)
- Re: Assigning IPv6 /48's to CPE's? Deepak Jain (Jan 07)
- Re: Assigning IPv6 /48's to CPE's? John Dupuy (Jan 07)
- Re: Assigning IPv6 /48's to CPE's? Mark Smith (Jan 07)
- RE: Assigning IPv6 /48's to CPE's? michael.dillon (Jan 07)
- Re: Assigning IPv6 /48's to CPE's? John Dupuy (Jan 07)