nanog mailing list archives

Re: misunderstanding scale

From: hslabbert () stargate ca
Date: Mon, 24 Mar 2014 10:36:46 -0700

On 2014-03-24, "Naslund, Steve" <SNaslund () medline com> wrote:

If they have a stateful IPv6 firewall (which they should and which most firewall vendors support), they already have what 
they need to prevent their internal systems from being accessible from the outside.  If you are an enterprise and you 
don't have a stateful firewall, you are in trouble from a security standpoint whether you run v4 or v6.  If you cannot 
configure a stateful firewall to block connections being initiated from outside, you are not qualified to be working with 
the firewall, v4 or v6 does not matter.  If someone is relying on NAT in case their firewall is misconfigured, they have 
major issues with security.

In the home, I am not sure what the major issue is there either.  How many CPE devices have you seen that do not 
implement basic firewall functionality?  People may not use them correctly but that is no more an issue with v6 than it 
is with v4.  Most CPE even comes out of the box blocking inbound connections by default.

Tell that to our little D-Link AP/router with stateless filters only for v6,and broken config options that make it impossible to apply even that to atunnel interface (HE).

I agree with you on pushing v6 adoption and that the at the root of it youshould have a stateful firewall be it v4 or v6, but:

- if this thread is any indication and as per your first paragraph, way toomany orgs are depending on NAT as a security feature and v6 is exposing thatweakness in their posture- home CPE implementations are largely crap, and good luck getting a decentportion of them supporting (functional) stateful v6 firewalls


Steve


--
Hugo


-----Original Message-----
From: Mark Tinka [mailto:mark.tinka () seacom mu]
Sent: Monday, March 24, 2014 11:35 AM
To: Timothy Morizot
Cc: NANOG list
Subject: Re: misunderstanding scale

Don't disagree with you there.

I'm saying many an enterprise (small and large) as well as homes operate this way. There is a lot of unlearning to do.

The whole issue is that a number of enterprises "may" only feel safe if IPv6 comes with NAT66, probably on top (or not 
on top) of a stateful IPv6 firewall.

We need to think about how to re-train the enterprise, if we don't want to repeat the erasure of the end-to-end model, 
second time around.

Mark.


--
Hugo Slabbert
Network Specialist
Phone: 604.606.4448
Email: hslabbert () stargate ca

Stargate Connections Inc.
http://www.stargate.ca

Attachment: signature.asc
Description: Digital signature

Current thread:

Re: misunderstanding scale, (continued)
- - - Re: misunderstanding scale Valdis . Kletnieks (Mar 24)
    - Re: misunderstanding scale Michael Thomas (Mar 24)
    - Re: misunderstanding scale William Herrin (Mar 24)
    - RE: misunderstanding scale Eric Wieling (Mar 24)
    - RE: misunderstanding scale Naslund, Steve (Mar 24)
    - Re: misunderstanding scale Owen DeLong (Mar 24)
    - Re: misunderstanding scale Timothy Morizot (Mar 24)
    - Re: misunderstanding scale Mark Tinka (Mar 24)
    - RE: misunderstanding scale Naslund, Steve (Mar 24)
    - Message not available
    - RE: misunderstanding scale Naslund, Steve (Mar 24)
    - Re: misunderstanding scale hslabbert (Mar 24)
    - Re: misunderstanding scale Owen DeLong (Mar 24)
    - RE: misunderstanding scale Naslund, Steve (Mar 24)
    - Re: misunderstanding scale Valdis . Kletnieks (Mar 24)
    - RE: misunderstanding scale Alexander Lopez (Mar 24)
    - Re: misunderstanding scale hslabbert (Mar 24)
    - Re: why IPv6 isn't ready for prime time, SMTP edition John Levine (Mar 25)
    - Re: why IPv6 isn't ready for prime time, SMTP edition Brielle Bruns (Mar 25)
    - Re: why IPv6 isn't ready for prime time, SMTP edition Jim Popovitch (Mar 25)
    - Re: why IPv6 isn't ready for prime time, SMTP edition John Levine (Mar 25)
    - Re: why IPv6 isn't ready for prime time, SMTP edition Brielle Bruns (Mar 25)

(Thread continues...)