Re: Common operational misconceptions

[Ridwan Sami <rms2176 () columbia edu>]

End user devices will not benefit from end-to-end connectivity (e.g.,  
globally routeable IPv4 addresses as opposed to being in a RFC1918  
space behind NAT).

If I have a wildcard DNS record, *.example.edu AAAA 2001:db8::5, then  
adding in an explicit record, x.example.edu AAAA 2001:db8::5, will  
make no visible difference.

There is no legitimate reason for a user to use BitTorrent (someone  
will probably disagree with this).

Our organization is not running out of IPv4 addresses so we don't need  
IPv6. (Similarly: Our orginization is running out of IPv4 addresses so  
that's why we need IPv6.)

I can't use IPv6 because I still need to serve IPv4 clients.

Any IP that starts with 192 is a private IP and any IP that starts  
with 169 is a self-assigned.

Authentication by client IP address alone is sufficient.

Long passwords requiring letters, numbers, and symbols with a  
no-repeat policy and a 90-day maximum password age are very secure.

+1 for "We should drop all ICMP(v6) traffic." (Related: "I can't ping  
the box so it must be down.")

+1 for "NAT is security".

Regarding "DNS only uses UDP", I give out a technical test during  
interviews and one of the questions is basically "Use iptables to  
block incoming DNS traffic" and all applicants so far have only  
blocked UDP port 53.