Re: AWS Elastic IP architecture

[Mark Andrews <marka () isc org>]

In message <556DC6FD.7040801 () matthew at>, Matthew Kaufman writes:
> On 6/1/15 10:12 PM, Mark Andrews wrote:
> > In message <556D35DF.8080901 () matthew at>, Matthew Kaufman writes:
> > > On 6/1/2015 6:32 PM, Mark Andrews wrote:
> > > > In message <CAL9jLaaQUP1UzoKag3Kuq8a5bMcB2q6Yg=B_=1fFWxRN6K-bNA@mail.gmail.
> > > com
> > > > > , Christopher Morrow writes:
> > > > > On Mon, Jun 1, 2015 at 9:02 PM, Ca By <cb.list6 () gmail com> wrote:
> > > > > > On Monday, June 1, 2015, Mark Andrews <marka () isc org> wrote:
> > > > > > > In message
> > > > > > > <CAL9jLaYXCdfViHbUPx-=rs4vSx5mFECpfuE8b7VQ+Au2hCXpMQ () mail gmail com>
> > > > > > > , Christopher Morrow writes:
> > > > > > > > So... I don't really see any of the above arguments for v6 in a vm
> > > > > > > > setup to really hold water in the short term at least.  I think for
> > > > > > > > sure you'll want v6 for public services 'soon' (arguably like 10 yrs
> > > > > > > > ago so you'd get practice and operational experience and ...) but for
> > > > > > > > the rest sure it's 'nice', and 'cute', but really not required for
> > > > > > > > operations (unless you have v6 only customers)
> > > > > > > Everyone has effectively IPv6-only customers today.  IPv6 native +
> > > > > > > CGN only works for services.  Similarly DS-Lite and 464XLAT.
> > > > > ok, and for the example of 'put my service in the cloud' ... the
> > > > > service is still accessible over ipv4 right?
> > > > It depends on what you are trying to do.  Having something in the
> > > > cloud manage something at home.  You can't reach the home over IPv4
> > > > more and more these days as.  IPv6 is the escape path for that but
> > > > you need both ends to be able to speak IPv6.
> > > ...and for firewalls to not exist. Since they do, absolutely all the
> > > techniques required to "reach something at home" over IPv4 are required
> > > for IPv6. This is on the "great myths of the advantages of IPv6" list.
> > For IPv4 you port forward in the NAT possibly doing port translation
> > as will as address translation.
>
> Takes about 30 seconds in the web interface of your CPE.
>
> > For IPv6 you open the port inbound in the firewall or just move the
> > firewalling to the host.
>
> Takes about 30 seconds in the web interface of your CPE.
>
> > IPv6 is easier.  With modern machines you really can get rid of the
> > firewall in front of the machine.
>
> For the good of the botnet operators, I encourage doing this.
>
> I can't run my laser printer without a firewall in front of it, and I 
> can't even guess how secure the controller in the septic system pump box 
> might be... so I don't risk it. And I *know* that some of the webcams I 
> have are vulnerable and have no updates available.

Well send the printer back as defective which it is.  As for the
controller of the septic system pump box it should be able to be
on the net without a firewall in front of it.

> > Lots of the equipement that
> > connects to the home nets spends plenty of time fully exposed to
> > the Internet w/o a firewall.
>
> I don't believe that's accurate.

All the laptops, phones, tablets, e-readers spend some time connect
without a firewall in front of them.  A Windows box hasn't needed
a firewall in front of it Windows XP SP2.  Macs don't need firewalls
in front of them.  Linux boxes don't need firewalls in front of
them.

About the only thing the border router should be doing is preventing
spoofed "internal" packets from coming in and filtering non-locally
sourced packets leaving.  There really shouldn't be any to filter
legitimately addressed packets.  If there is then the product is
defective.

> >   If it does that why does it need a
> > firewall at home?
> >
> > There is a myth that you need a firewall at home.
>
> Perpetuated by all the actual cases of poorly designed operating systems 
> and embedded systems getting attacked and making the news as a result 
> (http://www.insecam.org/ among others)

So send the cameras back to the manufacture/retailer for a fix/refund.  
 
> > > IPv6 has exactly one benefit... there's more addresses. It comes with a
> > > whole lot of new pain points, and probably a bunch of security nightmare
> > > still waiting to be discovered. And it for sure isn't free.
> > It also remove a whole lot of complications.  Simplifies the security
> > profile.
>
> If you think that the NDP DOS exposure is a "simplification" of 
> security, then I'd love to hear more about the benefits of IPv6.

Even with that it simplifies security.  Routers will get code
to work around that.
 
> Matthew Kaufman
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org