nanog mailing list archives

Re: Dynamic IP log retention = 0?

From: Joe Greco <jgreco () ns sol net>
Date: Wed, 11 Mar 2009 16:46:54 -0600 (CST)

On Wed, 11 Mar 2009, Joe Greco wrote:

In our neighbourhood, we don't have a high crime rate.  Despite that,
if we saw someone walking from house to house, trying doorknobs, we'd
call the cops.  The fact that everyone has locks on their doors does
not make it all right for someone to go around from house to house to
see if they're all locked.


  However, it's not illegal, AFAIK.  It's only illegal if you enter.  Either
  that, or I'm gonna go prosecute some Girl Scouts.


It may not be technically illegal, but I'd bet hard cash that our local 
cops would find a way to put you in cuffs and haul you in.  Girl Scouts
are probably going to be treated a bit different than random adults who
have no reasonable explanation to be trying the knobs.  Girl Scouts could
possibly be excused as not knowing any better.

  More relatedly, is there some sort of obligation with IPv6 to move all of
  your NAT'ed hosts away from NAT?


No.  There's also no obligation with a loaded shotgun to not point it at
your foot.  You can do it, you can pull the trigger.

NAT has many drawbacks, especially including a whole bunch of shortcomings
where workarounds are required for various protocols due to our insistence
on inflicting the brokenness of NAT on the world.  These are all well
documented.

http://www.circleid.com/posts/nat_just_say_no/

etc.

  Just because you can doesn't make it a
  good idea.  I agree, NAT != security, but it does give one a single point
  to manage those hosts behind it.


So's a firewall.  Nobody is suggesting that we throw out the baby with 
the bathwater.  But the bathwater's old and stinky, and is a severe
impediment to growth at this point.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Current thread:

Re: Dynamic IP log retention = 0?, (continued)
- - - Re: Dynamic IP log retention = 0? Jeremy L. Gaddis (Mar 11)
    - Re: Dynamic IP log retention = 0? Alec Berry (Mar 11)
- Re: Dynamic IP log retention = 0? William Allen Simpson (Mar 11)
  - Re: Dynamic IP log retention = 0? Brett Charbeneau (Mar 11)
    - Re: Dynamic IP log retention = 0? Marcus Reid (Mar 11)
    - Re: Dynamic IP log retention = 0? Joe Abley (Mar 11)
    - Re: Dynamic IP log retention = 0? Brett Charbeneau (Mar 11)
    - Re: Dynamic IP log retention = 0? Joe Greco (Mar 11)
    - Re: Dynamic IP log retention = 0? Mike Lewinski (Mar 11)
    - Re: Dynamic IP log retention = 0? Peter Beckman (Mar 11)
    - Re: Dynamic IP log retention = 0? Joe Greco (Mar 11)
    - Re: Dynamic IP log retention = 0? William Herrin (Mar 11)
    - Re: Dynamic IP log retention = 0? Valdis . Kletnieks (Mar 12)
    - Re: Dynamic IP log retention = 0? Mike Lewinski (Mar 12)
  - Re: Dynamic IP log retention = 0? Glen Turner (Mar 11)
    - Re: Dynamic IP log retention = 0? J. Oquendo (Mar 12)
    - Re: Dynamic IP log retention = 0? William Allen Simpson (Mar 12)
- Re: Dynamic IP log retention = 0? Rubens Kuhl (Mar 11)
  - Re: Dynamic IP log retention = 0? Steven M. Bellovin (Mar 11)
- Re: Dynamic IP log retention = 0? Ross (Mar 12)
  - Re: Dynamic IP log retention = 0? Brett Watson (Mar 12)

(Thread continues...)