Looking for comments

Karl Auer kauer at biplane.com.au
Thu Jul 22 04:24:59 UTC 2010


On Wed, 2010-07-21 at 20:37 -0700, Owen DeLong wrote:
> I can throw a COTS d-link box with
> > address-overloaded NAT on a connection and have reasonably effective
> > network security and anonymity in IPv4. Achieving comparable results
> > in the IPv6 portion of the dual stack on each of those hosts is
> > complicated at best.
> > 
> Actually, it isn't particularly hard at all... Turn on privacy addressing
> on each of the hosts (if it isn't on by default) and then put a linux
> firewall in front of them with a relatively simple ip6tables configuration
> for outbound only.

All respect to someone that knows his stuff, and I do realise that the
OP mentioned small-scale hardware, but in the wider world (and even the
world of home users as seen from the carrier side) any solution that
says "do <whatever> on every host" is just not workable. As for the
Linux packet filter, that's an exercise for the advanced home user.
Outside the home environment - well, most people here have traffic rates
that would leave a Linux firewall a melted puddle of slag. It has to be
a standards based solution, implemented in silicon.

That said, you get 99% of everything worth having out of NAT with a
packet filter that says "allow established and related in, allow
anything out, block everything else". That can be implemented trivially
on just about any router from the tiniest piece of CPE up to the Cisco
and Juniper refrigerator boxes, and I would expect to see it the default
in any IPv6 CPE (when they at last begin appearing).

While there are people who want anonymity (by which they mean not
exposing actual addresses to the Internet), I am of the opinion that
this is little more than another version of security through obscurity,
and that the very minor benefit it may confer is massively outweighed by
the operational impost.

Some people don't want their MAC addresses exposed to the Internet, so
they don't want to use IPv6 autoconf addresses. I feel pretty much the
same way about that idea as I do about the other, but at least there is
a simple, standard solution for it - DHCP. DHCP is far less obstructive
to troubleshooting and logging than privacy addresses.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100722/7e64bd54/attachment.sig>


More information about the NANOG mailing list