Re: Assigning IPv6 /48's to CPE's?

[Valdis.Kletnieks () vt edu]

On Thu, 03 Jan 2008 10:17:37 EST, William Herrin said:

> In my ever so humble opinion, IPv6 will not reach significant
> penetration at the customer level until NAT has been thoroughly
> implemented. Corporate information security officers will insist.
> Here's the thing: a stateful non-NAT firewall is automatically less
> secure than a stateful translating firewall. Why? Because a mistake
> configuring a NAT firewall breaks the network causing everything to
> stop working while a mistake with a firewall that does no translation
> causes data to flow unfiltered. Humans being humans, mistakes will be
> made. The first failure mode is highly preferable.

Which is why, if your site has an *actual* clue, the deployed hosts *also*
have their own iptables/ipfilters/whatever-windows-calls-it rulesets that
say what hosts are allowed to talk to them. So on the server, I can do:

ip6tables -A tcp-in -s ! 2001:468:c80/48 -p tcp --dport 22 -j DROP

Now, even if our firewall guys fumble-finger something, I won't get
SSH connections coming in from outside AS1312.

Of course, I can't talk about business pressures from customers that have
incompetent security officers that don't understand stuff like multiple
layers of defense...

Attachment: _bin
Description: