nanog mailing list archives
Re: Pointer for documentation on actually delivering IPv6
From: Joe Greco <jgreco () ns sol net>
Date: Mon, 6 Dec 2010 10:08:16 -0600 (CST)
First, let's clarify things a bit. I don't think unintended routing is = what concerns your IT guys. Afterall, even with the NAT box today, there's routing from the outside to the inside. It's just = controlled by stateful inspection.
It might be better stated differently. With NAT, routing from the outside to the inside is controlled by stateful inspection and also by internal policy. In what we usually mean as IPv4 NAT in today's usage, there is not supposed to be a way for an outside attacker to target a particular inside destination, even if its address were known. 1918 space isn't globally routed and the "real" external IP address is the only thing your firewall has to go on; internal policy controls what happens to unsolicited traffic. With IPv6 and a stateful firewall, an outside attacker gains the ability to address devices within your network, even if he is unable to actually cause packets to arrive at that target thanks to your firewall. There's a fundamental difference here that scares some people. They fear an inadvertent dropping of their stateful firewall ruleset, for example, or maybe even bypassing of the firewall through misconfig or other perils at the network level. You won't make much progress on these fears because there's genuinely something to them. What we really need are killer IPv6 apps that can't easily be NAT'd. :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- Re: Pointer for documentation on actually delivering IPv6, (continued)
- Re: Pointer for documentation on actually delivering IPv6 Miquel van Smoorenburg (Dec 05)
- Re: Pointer for documentation on actually delivering IPv6 MarcoH - lists (Dec 05)
- Re: Pointer for documentation on actually delivering IPv6 Owen DeLong (Dec 05)
- Re: Pointer for documentation on actually delivering IPv6 Miquel van Smoorenburg (Dec 05)
- Re: Pointer for documentation on actually delivering IPv6 Chris Nicholls (Dec 06)
- Re: Pointer for documentation on actually delivering IPv6 Dobbins, Roland (Dec 06)
- Re: Pointer for documentation on actually delivering IPv6 Jeff Johnstone (Dec 06)
- Re: Pointer for documentation on actually delivering IPv6 Jared Mauch (Dec 06)
- Re: Pointer for documentation on actually delivering IPv6 Owen DeLong (Dec 06)
- Re: Pointer for documentation on actually delivering IPv6 Jack Bates (Dec 06)
- Re: Pointer for documentation on actually delivering IPv6 Dobbins, Roland (Dec 06)
- Re: Pointer for documentation on actually delivering IPv6 Joe Greco (Dec 06)
- Re: Pointer for documentation on actually delivering IPv6 Truman Boyes (Dec 06)
- Re: Pointer for documentation on actually delivering IPv6 david raistrick (Dec 07)
- Re: Pointer for documentation on actually delivering IPv6 Chuck Anderson (Dec 07)
- Re: Pointer for documentation on actually delivering IPv6 Owen DeLong (Dec 07)
- Re: Pointer for documentation on actually delivering IPv6 Dobbins, Roland (Dec 06)
- Re: Pointer for documentation on actually delivering IPv6 Joel Jaeggli (Dec 07)
- Re: Pointer for documentation on actually delivering IPv6 Joel Jaeggli (Dec 12)
- Re: Pointer for documentation on actually delivering IPv6 Joel Jaeggli (Dec 09)
- RE: Pointer for documentation on actually delivering IPv6 George Bonser (Dec 09)
- Re: Pointer for documentation on actually delivering IPv6 Wil Schultz (Dec 09)
- Re: Pointer for documentation on actually delivering IPv6 Pete Carah (Dec 09)