nanog mailing list archives

Re: IPv6 uptake (was: The Reg does 240/4)

From: Michael Thomas <mike () mtcc com>
Date: Fri, 16 Feb 2024 17:22:01 -0800


On 2/16/24 5:05 PM, William Herrin wrote:

On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas <mike () mtcc com> wrote:

If you know which subnets need to be NAT'd don't you also know which
ones shouldn't exposed to incoming connections (or conversely, which
should be permitted)? It seems to me that all you're doing is moving
around where that knowledge is stored? Ie, DHCP so it can give it
private address rather than at the firewall knowing which subnets not to
allow access? Yes, DHCP can be easily configured to make everything
private, but DHCP for static reachable addresses is pretty handy too.

Hi Mike,

Suppose I have a firewall at 2602:815:6000::1 with an internal network
of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a
switch that accepts telnet connections with a user/password of
admin/admin. On the firewall, I program it to disallow all Internet
packets to 2602:815:6001::/64 that are not part of an established
connection.

Someone tries to telnet to 2602:815:6001::4. What happens? Blocked.

Now, I make a mistake on my firewall. I insert a rule intended to
allow packets outbound from 2602:815:6001::4 but I fat-finger it and
so it allows them inbound to that address instead. Someone tries to
telnet to 2602:815:6001::4. What happens? Hacked.

Yes, but if the DHCP database has a mistake it's pretty much the samesituation since it could be numbered with a public address. For both youcan have the default as "reject" or "accept" -- that's just a defaultand depends on how you want to manage your network.

NAT is not without its own set of problems, so if this boils down to asubnet management issue there are obviously ways to deal with that toavoid NAT's problems. Both DHCP and firewall configs don't have to bethe ultimate source of truth about any of this. And that's likely a GoodThing since you want them to be pretty much as fungible and replaceableas possible. If you're exposed to fat fingers for either, you'reprobably already in trouble. Something in the management plain is farmore likely to care about this kind of thing than hardware vendors whosee that as a cost center with predictably shitty implementations.


Mike

Current thread:

Re: The Reg does 240/4, (continued)
- - - Re: The Reg does 240/4 Tom Beecher (Feb 15)
    - IPv6 uptake (was: The Reg does 240/4) Stephen Satchell (Feb 15)
    - Re: IPv6 uptake (was: The Reg does 240/4) Mark Andrews (Feb 15)
    - Re: IPv6 uptake (was: The Reg does 240/4) John Levine (Feb 15)
    - Re: IPv6 uptake (was: The Reg does 240/4) Justin Streiner (Feb 15)
    - Re: IPv6 uptake (was: The Reg does 240/4) Stephen Satchell (Feb 15)
    - Re: IPv6 uptake (was: The Reg does 240/4) Jay R. Ashworth (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 17)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
    - Re: IPv6 uptake (was: The Reg does 240/4) sronan (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Ryan Hamel (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 17)

(Thread continues...)