nanog mailing list archives
Re: Redploying most of 127/8 as unicast public
From: Måns Nilsson <mansaxel () besserwisser org>
Date: Sun, 21 Nov 2021 20:47:07 +0100
Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 10:47:10PM -0500 Quoting Joe Maimon (jmaimon () jmaimon com):
layer in front of these classes of devices or that they will be deployed|developed with sufficient/equivalent security without that layer is not nearly as re-assuring.
The inside/outside paradigm inherent in the reasoning of "NAT is a good, big part of my firewall" crowd is woefully inadequate to describe and counter the threats of today. The techniques to get past uni-reachability (The NATted client can ask the net, but not in reverse) are many and advanced. Since there is a somewhat inflated belief of the efficiency of the unroutability paradigm, once inside, the rules tend to be relaxed. It might very well be so that the resultant protection level will be better once you realise you can't trust the net to not deliver packets to you. Also, I much prefer writing firewall rules where the IP addresses don't change in-flight. Less to screw up. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 Of course, you UNDERSTAND about the PLAIDS in the SPIN CYCLE --
Attachment:
signature.asc
Description:
Current thread:
- Re: Redploying most of 127/8 as unicast public, (continued)
- Re: Redploying most of 127/8 as unicast public Masataka Ohta (Nov 19)
- Re: Redploying most of 127/8 as unicast public Måns Nilsson (Nov 19)
- Re: Redploying most of 127/8 as unicast public Masataka Ohta (Nov 19)
- Re: Redploying most of 127/8 as unicast public Måns Nilsson (Nov 20)
- Re: Redploying most of 127/8 as unicast public Matthew Walster (Nov 20)
- Re: Redploying most of 127/8 as unicast public Måns Nilsson (Nov 20)
- Re: Redploying most of 127/8 as unicast public Matthew Walster (Nov 20)
- Re: Redploying most of 127/8 as unicast public Måns Nilsson (Nov 20)
- Re: Redploying most of 127/8 as unicast public Owen DeLong via NANOG (Nov 20)
- Re: Redploying most of 127/8 as unicast public Joe Maimon (Nov 20)
- Re: Redploying most of 127/8 as unicast public Måns Nilsson (Nov 21)
- Re: Redploying most of 127/8 as unicast public Owen DeLong via NANOG (Nov 21)
- Re: Redploying most of 127/8 as unicast public William Herrin (Nov 21)
- Re: Redploying most of 127/8 as unicast public Owen DeLong via NANOG (Nov 20)
- Re: Redploying most of 127/8 as unicast public Matthew Walster (Nov 20)
- Re: Redploying most of 127/8 as unicast public Owen DeLong via NANOG (Nov 20)
- Re: Redploying most of 127/8 as unicast public Francis Booth via NANOG (Nov 23)
- Re: fun with TLDs and captive portals was, Redploying most of 127/8 as unicast public John Levine (Nov 23)
- Re: Redploying most of 127/8 as unicast public Masataka Ohta (Nov 20)
- Re: Redploying most of 127/8 as unicast public Måns Nilsson (Nov 20)
- Re: Redploying most of 127/8 as unicast public Masataka Ohta (Nov 20)