nanog mailing list archives

Re: Looking for comments

From: Owen DeLong <owen () delong com>
Date: Wed, 21 Jul 2010 22:35:24 -0700


On Jul 21, 2010, at 9:58 PM, Franck Martin wrote:



----- Original Message -----

From: "Karl Auer" <kauer () biplane com au>
To: nanog () nanog org
Sent: Thursday, 22 July, 2010 4:24:59 PM
Subject: Re: Looking for comments
On Wed, 2010-07-21 at 20:37 -0700, Owen DeLong wrote:

I can throw a COTS d-link box with

address-overloaded NAT on a connection and have reasonably
effective
network security and anonymity in IPv4. Achieving comparable
results
in the IPv6 portion of the dual stack on each of those hosts is
complicated at best.

Actually, it isn't particularly hard at all... Turn on privacy
addressing
on each of the hosts (if it isn't on by default) and then put a
linux
firewall in front of them with a relatively simple ip6tables
configuration
for outbound only.


All respect to someone that knows his stuff, and I do realise that the
OP mentioned small-scale hardware, but in the wider world (and even
the
world of home users as seen from the carrier side) any solution that
says "do <whatever> on every host" is just not workable. As for the
Linux packet filter, that's an exercise for the advanced home user.

In a home environment where do X on every host isn't workable, it's
rare that every is more than 1, so, it's do X on THE host most of the
time.

Windows defaults to privacy addresses on by default, so, that also
takes care of most of the environments where people have minimal
understanding of technology.

It takes some effort (minimal) on Linux. I haven't investigated what
it takes on Mac.

Again, this only matters if you care about address obfuscation anyway,
which isn't really security, but, does provide some (minimal and ineffective)
aspects of privacy.

The packet filter doesn't have to be done on every host, just the gateway.

On Mac Airport Extreme it is "disallow outside to access internal machines", tick and it is done!


That takes care of the packet filter, but, it doesn't handle the stated
requirement for address obfuscation.

I question the value of address obfuscation, but, the people with that
religion will not give it up so I attempted to address the problem as
stated.

Owen

Current thread:

Looking for comments Fred Baker (Jul 21)
- Re: Looking for comments William Herrin (Jul 21)
  - Re: Looking for comments Owen DeLong (Jul 21)
    - Re: Looking for comments Karl Auer (Jul 21)
    - Re: Looking for comments Franck Martin (Jul 21)
    - Re: Looking for comments Owen DeLong (Jul 21)
    - Re: Looking for comments Franck Martin (Jul 21)
    - Re: Looking for comments William Herrin (Jul 22)
    - Re: Looking for comments Owen DeLong (Jul 22)
    - Re: Looking for comments William Herrin (Jul 22)
    - Re: Looking for comments Brian E Carpenter (Jul 22)
    - Re: Looking for comments Nick Hilliard (Jul 22)
    - Re: Looking for comments Mark Smith (Jul 22)
    - Re: Looking for comments Franck Martin (Jul 22)
    - Re: Looking for comments Nick Hilliard (Jul 23)
    - Re: Looking for comments Mark Smith (Jul 23)

(Thread continues...)