nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: We hit half-million: The Cidr Report

From: Blake Dunlap <ikiris () gmail com>
Date: Wed, 30 Apr 2014 08:45:41 -0500
Just out of curiosity, how does removing port address translation from
the equation magically and suddenly make everything exposed, and
un-invent the firewall?

-Blake

On Tue, Apr 29, 2014 at 11:00 PM, Jeff Kell <jeff-kell () utc edu> wrote:

On 4/29/2014 11:37 PM, TheIpv6guy . wrote:

On Tue, Apr 29, 2014 at 7:54 PM, Jeff Kell <jeff-kell () utc edu> wrote:

On 4/29/2014 2:06 PM, Owen DeLong wrote:

If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 (or even 3) IPv6 prefixes…
As a bonus, we could get rid of NAT, too. ;-)
/me ducks (but you know I had to say it)

Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc /
etc  had been eliminated by process of "can't get there from here"... we
expose millions more endpoints...

/me ducks too (but you know *I* had to say it)


No ducking here.  You forgot Nimda.  Do you have an example from the
last 10 years of this class ?


Oh?  Anything hitting portmapper (tcp/135), or CIFS (tcp/445), or RDP
(tdp/3389 -- CVE-2012-0002 ring any bells?).

The vulnerabilities never stop.  We just stop paying attention because
most of us have blocked 135-139 and 445 and 3389 at the border long ago.

Now granted that 80/443 (server-side) are more dangerous these days :)
But that doesn't eliminate the original risks.

These are ports that were originally open by default...  and if you
"don't" have a perimeter policy, you're "wrong" (policy, compliance,
regulation, etc).

Not to mention that PCI compliance requires you are RFC1918 (non-routed)
at your endpoints, but I digress...

Jeff
Previous By Date Next
Previous By Thread Next

Current thread: