nanog mailing list archives
Re: We hit half-million: The Cidr Report
From: Rick Astley <jnanog () gmail com>
Date: Wed, 30 Apr 2014 05:53:47 -0400
Security is a layered approach though. I can't recall any server or service that runs in listening state (and reachable from public address space) that hasn't had some type of remotely exploitable vulnerability. It's hard to lean on operating systems and software companies to default services to off. When you run "netstat -a" on a lot of operating systems there are too many things in listening state without a convincing enough reason. NAT is stateful only out of necessity but after IPv6 a small layer of security will go away but there is potentially another alternative. Scanning blocks of IPv6 addresses for valid hosts is mostly a waste of time but you could do things like looking at server logs or getting IP addresses of clients you are connected with on P2P networks. A good way to prevent that is to assign multiple IPv6 addresses to operating systems as security "zones" so a source address a browser or P2P client would use is not the same one with potentially remotely exploitable services running in listening state. As a bonus they should probably take it one step further and just place web browsers and email clients in a dedicated VM sandbox that can be blown out and recreated in case of infection or persistent browser toolbars and stuff. So far malware seems to be winning the war so it might be best to just acknowledge that people are likely to be attacked successfully and attempt to quarantine it when it happens. It would probably be less intrusive than trying to force people into restricted user accounts so I never understood why nobody ever really pushed for this. Technical users have been running suspect code and links in VM's for a while now. On Wed, Apr 30, 2014 at 1:13 AM, Owen DeLong <owen () delong com> wrote:
On Apr 29, 2014, at 7:54 PM, Jeff Kell <jeff-kell () utc edu> wrote:On 4/29/2014 2:06 PM, Owen DeLong wrote:If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1(or even 3) IPv6 prefixes…As a bonus, we could get rid of NAT, too. ;-) /me ducks (but you know I had to say it)Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc / etc had been eliminated by process of "can't get there from here"... we expose millions more endpoints... /me ducks too (but you know *I* had to say it)Pretending that endpoints are not exposed to those things with NAT is kind of like putting a screen door in front of a bank vault and saying “now safe from tornadoes”. Owen
Current thread:
- Re: We hit half-million: The Cidr Report, (continued)
- Re: We hit half-million: The Cidr Report Jeff Kell (Apr 29)
- Re: We hit half-million: The Cidr Report Blake Dunlap (Apr 30)
- Re: We hit half-million: The Cidr Report Sholes, Joshua (Apr 30)
- RE: We hit half-million: The Cidr Report Jamie Bowden (Apr 30)
- Re: We hit half-million: The Cidr Report Valdis . Kletnieks (Apr 30)
- Re: We hit half-million: The Cidr Report joel jaeggli (Apr 30)
- Re: We hit half-million: The Cidr Report Sholes, Joshua (Apr 30)
- Message not available
- Dealing with auditors (was Re: We hit half-million: The Cidr Report) Larry Sheldon (Apr 30)
- Re: Dealing with auditors (was Re: We hit half-million: The Cidr Report) William Herrin (Apr 30)
- Re: We hit half-million: The Cidr Report Owen DeLong (Apr 29)
- Re: We hit half-million: The Cidr Report Rick Astley (Apr 30)
- Re: The Cidr Report Seth Mos (Apr 26)
- RE: The Cidr Report Deepak Jain (Apr 26)
- Re: The Cidr Report Geoff Huston (Apr 27)
- Re: The Cidr Report Fred Baker (fred) (Apr 30)