nanog mailing list archives
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
From: Owen DeLong <owen () delong com>
Date: Fri, 6 Feb 2009 19:32:10 -0800
On Feb 6, 2009, at 7:06 PM, Matthew Moyle-Croft wrote:
Stephen Sprunk wrote:It's also worth pointing out that CPE for DSL often has really poor stateful firewall code. So often turning it off means less issues for home users. At least NAT gives some semblance of protection. IPv6 without NAT might be awesome to some, but the reality is CPE is built to a price and decent firewall code is thin on the ground. I'm not hopeful of it getting better when IPv6 starts to become mainstream.You must be very sheltered. Most end users, even "security" folks at major corporations, think a NAT box is a firewall and disabling NAT is inherently less secure. Part of that is factual: NAT (er, dynamic PAT) devices are inherently fail-closed because of their design, while a firewall might fail open. Also, NAT prevents some information leakage by hiding the internal details of the site's network, and many folks place a high value on "security" through obscurity. This is understandable, since the real threats -- uneducated users and flawed software -- are ones they have no power to fix.
IPTables is decent firewall code. It's free. I don't buy that argument for a second.Further, since more and more CPE is being built on embedded linux, there's no reason that IPTables isn't a perfectly valid approach to the underlying firewall code.
Owen
(In case it's not clear - I'm not talking about enterprise stuff - I'm talking about CPE for domestic DSL/Cable users - please don't tell me all about how cool NetScreen/PIX/ASA/<insert favourite fw> is for enterprise).MMC -- Matthew Moyle-Croft - Internode/Agile - Networks Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia Email: mmc () internode com au Web: http://www.on.net Direct: +61-8-8228-2909 Mobile: +61-419-900-366 Reception: +61-8-8228-2999 Fax: +61-8-8235-6909
Current thread:
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space, (continued)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Owen DeLong (Feb 05)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Chris Adams (Feb 04)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Joe Abley (Feb 04)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Mohacsi Janos (Feb 05)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Roger Marquis (Feb 05)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Valdis . Kletnieks (Feb 05)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Owen DeLong (Feb 05)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Roger Marquis (Feb 05)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Roger Marquis (Feb 04)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Stephen Sprunk (Feb 06)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Matthew Moyle-Croft (Feb 06)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Owen DeLong (Feb 06)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Matthew Moyle-Croft (Feb 06)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Ricky Beam (Feb 09)
- RE: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Frank Bulk - iName.com (Feb 09)
- RE: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space TJ (Feb 10)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Stephen Sprunk (Feb 06)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Stephen Sprunk (Feb 07)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Ricky Beam (Feb 09)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Jack Bates (Feb 09)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Owen DeLong (Feb 09)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Stephen Sprunk (Feb 09)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Mark Newton (Feb 09)