nanog mailing list archives
RE: misunderstanding scale
From: Alexander Lopez <alex.lopez () opsys com>
Date: Tue, 25 Mar 2014 05:25:31 +0000
-----Original Message----- From: Naslund, Steve [mailto:SNaslund () medline com] Sent: Monday, March 24, 2014 10:48 PM To: Owen DeLong; mark.tinka () seacom mu Cc: nanog () nanog org Subject: RE: misunderstanding scale Look at it this way. If I see an attack coming from behind your NAT, I'm gonna deny all traffic coming from your NAT block until you assure me you have it fixed because I have no way of knowing which host it is coming from. Now your whole network is unreachable. If you have a compromised GUA host I can block only him. Better for both of us, no?
That is assuming that the infected piece does not request another address in the /64, and that the person blocking at the target end blocks a /128 instead of the /64.
How about a single host spamming behind your NAT blocking your entire corporate public network from email services? Anyone ever see that one. Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal with that.
I don't want to try to even think about SMTP on IPv6. Reputation of email servers as well as the whole thought process of spam control rely on a list of IP address. IPv6 adds an entirely new aspect to it.
Maybe GUAs will convince (scare) more enterprise users to actually treat the internal network as an environment that needs to be secured as well. We can only hope.
Most enterprise admins, segment their BYOD (wifi) network from the production network. Some will even use a different WAN ip for the wifi network or in the minimum block outbound request to well known services ports. I generally see where the only outbound connections allowed are http and https. All other ports are blocked.
Steven NaslundBzzzt... But thanks for playing.An IPv6 host with a GUA behind a stateful firewall with default deny isevery bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44 gateway.
I can't argue there.....
Owen
Current thread:
- RE: misunderstanding scale, (continued)
- RE: misunderstanding scale Naslund, Steve (Mar 24)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- Re: misunderstanding scale Timothy Morizot (Mar 24)
- Re: misunderstanding scale Mark Tinka (Mar 24)
- RE: misunderstanding scale Naslund, Steve (Mar 24)
- Message not available
- RE: misunderstanding scale Naslund, Steve (Mar 24)
- Re: misunderstanding scale hslabbert (Mar 24)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- RE: misunderstanding scale Naslund, Steve (Mar 24)
- Re: misunderstanding scale Valdis . Kletnieks (Mar 24)
- RE: misunderstanding scale Alexander Lopez (Mar 24)
- Re: misunderstanding scale hslabbert (Mar 24)
- Re: why IPv6 isn't ready for prime time, SMTP edition John Levine (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Brielle Bruns (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Jim Popovitch (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition John Levine (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Brielle Bruns (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Paul Ferguson (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Elizabeth Zwicky (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Paul Ferguson (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Laszlo Hanyecz (Mar 25)