Re: AWS Elastic IP architecture

[Mark Andrews <marka () isc org>]

In message <556D35DF.8080901 () matthew at>, Matthew Kaufman writes:
> On 6/1/2015 6:32 PM, Mark Andrews wrote:
> > In message <CAL9jLaaQUP1UzoKag3Kuq8a5bMcB2q6Yg=B_=1fFWxRN6K-bNA@mail.gmail.
> com
> > > , Christopher Morrow writes:
> > > On Mon, Jun 1, 2015 at 9:02 PM, Ca By <cb.list6 () gmail com> wrote:
> > > > On Monday, June 1, 2015, Mark Andrews <marka () isc org> wrote:
> > > > > In message
> > > > > <CAL9jLaYXCdfViHbUPx-=rs4vSx5mFECpfuE8b7VQ+Au2hCXpMQ () mail gmail com>
> > > > > , Christopher Morrow writes:
> > > > > > So... I don't really see any of the above arguments for v6 in a vm
> > > > > > setup to really hold water in the short term at least.  I think for
> > > > > > sure you'll want v6 for public services 'soon' (arguably like 10 yrs
> > > > > > ago so you'd get practice and operational experience and ...) but for
> > > > > > the rest sure it's 'nice', and 'cute', but really not required for
> > > > > > operations (unless you have v6 only customers)
> > > > > Everyone has effectively IPv6-only customers today.  IPv6 native +
> > > > > CGN only works for services.  Similarly DS-Lite and 464XLAT.
> > > ok, and for the example of 'put my service in the cloud' ... the
> > > service is still accessible over ipv4 right?
> > It depends on what you are trying to do.  Having something in the
> > cloud manage something at home.  You can't reach the home over IPv4
> > more and more these days as.  IPv6 is the escape path for that but
> > you need both ends to be able to speak IPv6.
>
> ...and for firewalls to not exist. Since they do, absolutely all the 
> techniques required to "reach something at home" over IPv4 are required 
> for IPv6. This is on the "great myths of the advantages of IPv6" list.

For IPv4 you port forward in the NAT possibly doing port translation
as will as address translation.

For IPv6 you open the port inbound in the firewall or just move the
firewalling to the host.

IPv6 is easier.  With modern machines you really can get rid of the
firewall in front of the machine.  Lots of the equipement that
connects to the home nets spends plenty of time fully exposed to
the Internet w/o a firewall.  If it does that why does it need a
firewall at home?

There is a myth that you need a firewall at home. 

> IPv6 has exactly one benefit... there's more addresses. It comes with a 
> whole lot of new pain points, and probably a bunch of security nightmare 
> still waiting to be discovered. And it for sure isn't free.

It also remove a whole lot of complications.  Simplifies the security
profile.

> Matthew Kaufman
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org