RE: misunderstanding scale

[Alexander Lopez <alex.lopez () opsys com>]

> -----Original Message-----
> From: Naslund, Steve [mailto:SNaslund () medline com]
> Sent: Monday, March 24, 2014 10:48 PM
> To: Owen DeLong; mark.tinka () seacom mu
> Cc: nanog () nanog org
> Subject: RE: misunderstanding scale
>
> Look at it this way.  If I see an attack coming from behind your NAT, I'm gonna
> deny all traffic coming from your NAT block until you assure me you have it
> fixed because I have no way of knowing which host it is coming from. Now
> your whole network is unreachable. If you have a compromised GUA host I
> can block only him.  Better for both of us, no?

That is assuming that the infected piece does not request another address in the /64, and that the person blocking at 
the target end blocks a /128 instead of the /64.

> How about a single host spamming behind your NAT blocking your entire
> corporate public network from email services?  Anyone ever see that one.
> Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal
> with that.

I don't want to try to even think about SMTP on IPv6. Reputation of email servers as well as the whole thought process 
of spam control rely on a list of IP address.

IPv6 adds an entirely new aspect to it.

> Maybe GUAs will convince (scare) more enterprise users to actually treat the
> internal network as an environment that needs to be secured as well.  We
> can only hope.
Most enterprise admins, segment their BYOD (wifi) network from the production network. Some will even use a different 
WAN ip for the wifi network or in the minimum block outbound request to well known services ports.

I generally see where the only outbound connections allowed are http and https. All other ports are blocked.

> Steven Naslund
>
>
> > > Bzzzt... But thanks for playing.
>
> > > An IPv6 host with a GUA behind a stateful firewall with default deny is
> every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44
> gateway.

I can't argue there.....


> > > Owen