nanog mailing list archives

Re: Nat

From: 'Matt Palmer' <mpalmer () hezmatt org>
Date: Mon, 21 Dec 2015 16:49:38 +1100

On Sun, Dec 20, 2015 at 10:54:49PM -0500, Chuck Church wrote:

From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Matt Palmer

Depends on how many devices you have on it.  Once you start filling your
home with Internet of Unpatchable Security Holes devices, having everything
on a single ethernet >segment might start to get a little...  noisy.

Thankfully, IPv6 has well-defined multicast scopes, which makes it
trivially easy to do cross-L2-segment service discovery without needing to
resort to manually berking around >with firewall rules.


If your home is full of unpatched or compromised hosts, and they're using
these well-defined multicast scopes, doesn't that mean they can now
communicate and infect one another?


No, multicast for discovery doesn't necessarily mean that the application
traffic can also pass.  The discovery multicast packets could be filtered at
any point within the network, also.

However, access control isn't what you asked about.  You claimed that
multiple L2 segments broke service discovery, and I refuted that point.

For years I've seen people on this list
insist on "NAT/PAT != firewall".   Well, a router routing everything it sees
is even less of a firewall.


Correct.  However, nowhere did I suggest that a router should be routing
absolutely everything it sees.

I'm really not trying to be argumentative here,


And yet, you're doing an awfully good job of being argumentative, about a
subject you really don't seem to know a whole lot about.

but I'm just having a hard time believing Joe Sixpack will be applying
business networking principals such as micro-segmenting to a home network
with 3 to 7 devices on it.  If anything, these complexities we keep
adding/debating such as DHCP vs RA, prefix delegation, etc are only slowing
down the general deployment of IPv6.


Yes, it's a pity that people who refuse to learn about the new features that
IPv6 provides keep trying to shoehorn IPv6 into their legacy mindset, but
there's not a whole lot the rest of us can do about that.

- Matt

Current thread:

Re: Nat, (continued)
- - - Re: Nat Randy Fischer (Dec 20)
    - Re: Nat Mike Hammett (Dec 20)
    - RE: Nat Keith Medcalf (Dec 20)
    - Re: Nat Jason Baugher (Dec 20)
    - Re: Nat Mark Tinka (Dec 21)
    - Re: Nat Ahmed Munaf (Dec 23)
    - Re: Nat Mike Hammett (Dec 21)
    - Re: Nat Matt Palmer (Dec 20)
    - Re: Nat Matt Palmer (Dec 20)
    - RE: Nat Chuck Church (Dec 20)
    - Re: Nat 'Matt Palmer' (Dec 20)
    - RE: Nat Jon Lewis (Dec 21)
    - Re: Nat Mark Andrews (Dec 20)
    - Re: Nat Lee Howard (Dec 18)
    - Re: Nat Randy Bush (Dec 17)
    - Re: Nat Lee Howard (Dec 18)
    - Re: Nat Matthew Newton (Dec 18)
    - Re: Nat Sander Steffann (Dec 19)
    - Re: Nat Jeff McAdams (Dec 19)
    - Re: Nat Sander Steffann (Dec 19)
    - Re: Nat Nick Hilliard (Dec 19)

(Thread continues...)