nanog mailing list archives

Re: Looking for comments

From: Owen DeLong <owen () delong com>
Date: Wed, 21 Jul 2010 20:37:12 -0700



There is a third major challenge to dual-stack that isn't addressed in
the document: differing network security models that must deliver the
same result for the same collection of hosts regardless of whether
Ipv4 or v6 is selected. I can throw a COTS d-link box with
address-overloaded NAT on a connection and have reasonably effective
network security and anonymity in IPv4. Achieving comparable results
in the IPv6 portion of the dual stack on each of those hosts is
complicated at best.

Actually, it isn't particularly hard at all... Turn on privacy addressing
on each of the hosts (if it isn't on by default) and then put a linux
firewall in front of them with a relatively simple ip6tables configuration
for outbound only.

(The linux firewall could be as simple as a WRT-54G running
dd-wrt or such).

Owen

Current thread:

Looking for comments Fred Baker (Jul 21)
- Re: Looking for comments William Herrin (Jul 21)
  - Re: Looking for comments Owen DeLong (Jul 21)
    - Re: Looking for comments Karl Auer (Jul 21)
    - Re: Looking for comments Franck Martin (Jul 21)
    - Re: Looking for comments Owen DeLong (Jul 21)
    - Re: Looking for comments Franck Martin (Jul 21)
    - Re: Looking for comments William Herrin (Jul 22)
    - Re: Looking for comments Owen DeLong (Jul 22)
    - Re: Looking for comments William Herrin (Jul 22)
    - Re: Looking for comments Brian E Carpenter (Jul 22)
    - Re: Looking for comments Nick Hilliard (Jul 22)
    - Re: Looking for comments Mark Smith (Jul 22)

(Thread continues...)