nanog mailing list archives
Re: misunderstanding scale
From: Mark Andrews <marka () isc org>
Date: Tue, 25 Mar 2014 17:10:57 +1100
In message <7B6AF6E9-905A-4D14-B54F-8F244AFCFCEE () delong com>, Owen DeLong write s:
On Mar 24, 2014, at 8:52 PM, George Herbert <george.herbert () gmail com> wrote:On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong <owen () delong com> wrote: On Mar 24, 2014, at 9:21 AM, William Herrin <bill () herrin us> wrote:On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve<SNaslund () medline com> wrote:I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.Hi Steve, It is your privilege to believe this and to practice it in the networks you operate. Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security.Which impossibility has been disproven multiple times.Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement.Actually, there are multiple implementations of transparent proxies available for IPv6. NAT isn't the same thing at all. If you want to make your life difficult in IPv6, you can. Nobody prevents you from doing so. It is discouraged and non-sensical, but quite possible at this point. Owen Right. fc00::/7 exists. If you want to emulate your internal use of 10.0.0.0/8 plus NAT (or, proxies or load balancers or whatever) in your IPv6 implementation go ahead. Putting in some robust filtering that if the fc00::/7 ever appears outside the internal gateway the traffic goes poof should be as easy as the equivalents for 10, 172.16, 192.168 ...More accurately fd00::/8. fc00::/8 was reserved for ULA coordinated which failed to gain consensus. While IETF did set aside the /7, only fd00::/8 has a legitimate documented purpose.
And if you are going to filter fc00::/7 is more future proof.
Owen
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: misunderstanding scale, (continued)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- Re: misunderstanding scale Lee Howard (Mar 25)
- Re: misunderstanding scale Patrick W. Gilmore (Mar 24)
- Re: misunderstanding scale William Herrin (Mar 24)
- Re: misunderstanding scale Patrick W. Gilmore (Mar 24)
- Re: misunderstanding scale Laszlo Hanyecz (Mar 24)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- Re: misunderstanding scale George Herbert (Mar 24)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- Re: misunderstanding scale Mark Andrews (Mar 24)
- Re: misunderstanding scale Jimmy Hess (Mar 25)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- Re: misunderstanding scale Mark Tinka (Mar 24)
- Re: misunderstanding scale Mark Andrews (Mar 23)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- Re: misunderstanding scale Valdis . Kletnieks (Mar 23)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- Re: misunderstanding scale Bryan Socha (Mar 23)
- Re: misunderstanding scale Tim Franklin (Mar 24)