Re: misunderstanding scale (was: Ipv4 end, its fake.)

[Cb B <cb.list6 () gmail com>]

On Sun, Mar 23, 2014 at 11:27 AM, Philip Dorr <tagno25 () gmail com> wrote:
> On Mar 23, 2014 1:11 PM, "Mark Tinka" <mark.tinka () seacom mu> wrote:
> > On Sunday, March 23, 2014 06:57:26 PM Mark Andrews wrote:
> >
> > > I was at work last week and because I have IPv6 at both
> > > ends I could just log into the machines at home as
> > > easily as if I was there. When I'm stuck using a IPv4
> > > only service on the road I have to jump through lots of
> > > hoops to reach the internal machines.
> >
> > I expect this to change little in the enterprise space. I
> > think use of ULA and NAT66 will be one of the things
> > enterprises will push for, because how can a printer have a
> > public IPv6 address that is reachable directly from the
> > Internet, despite the fact that there is a properly
> > configured firewall at the perimetre offering half-decent
> > protection?
>
> That is what a firewall is for.  Drop new inbound connections, allow
> related, and allow outbound.  Then you allow specific IP/ports to have
> inbound traffic.  You may also only allow outbound traffic for specific
> ports, or from your proxy.

i would say the more appropriate place for this policy is the printer,
not a firewall.  For example, maybe a  printer should only be ULA or
LLA by default.

i would hate for people to think that a middle box is required, when
the best place to provide security is in the host.  Other layers are
needed as required, but it is sad that we don't look to the host it
self as a first step.

CB