misunderstanding scale

• Previous message (by thread): misunderstanding scale
• Next message (by thread): misunderstanding scale
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <7B6AF6E9-905A-4D14-B54F-8F244AFCFCEE at delong.com>, Owen DeLong write
s:
>
> On Mar 24, 2014, at 8:52 PM, George Herbert <george.herbert at gmail.com>
> wrote:
>
> >
> >
> >
> > On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong <owen at delong.com> wrote:
> >
> > On Mar 24, 2014, at 9:21 AM, William Herrin <bill at herrin.us> wrote:
> >
> > > On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve
> <SNaslund at medline.com> wrote:
> > >> I am not sure I agree with the basic premise here.   NAT or Private
> > >> addressing does not equal security.
> > >
> > > Hi Steve,
> > >
> > > It is your privilege to believe this and to practice it in the
> > > networks you operate.
> > >
> > > Many of the folks you would have deploy IPv6 do not agree. They take
> > > comfort in the mathematical impossibility of addressing an internal
> > > host from an outside packet that is not part of an ongoing session.
> > > These folks find that address-overloaded NAT provides a valuable
> > > additional layer of security.
> >
> > Which impossibility has been disproven multiple times.
> >
> > > Some folks WANT to segregate their networks from the Internet via a
> > > general-protocol transparent proxy. They've had this capability with
> > > IPv4 for 20 years. IPv6 poorly addresses their requirement.
> >
> > Actually, there are multiple implementations of transparent proxies
> > available for IPv6. NAT isn't the same thing at all.
> >
> > If you want to make your life difficult in IPv6, you can. Nobody
> > prevents you from doing so. It is discouraged and non-sensical,
> > but quite possible at this point.
> >
> > Owen
> >
> >
> >
> > Right.  fc00::/7 exists.  If you want to emulate your internal use of
> > 10.0.0.0/8 plus NAT (or, proxies or load balancers or whatever) in your
> > IPv6 implementation go ahead.  Putting in some robust filtering that if
> > the fc00::/7 ever appears outside the internal gateway the traffic goes
> > poof should be as easy as the equivalents for 10, 172.16, 192.168 ...
>
>
> More accurately fd00::/8. fc00::/8 was reserved for ULA coordinated which
> failed to gain consensus. While IETF did set aside the /7, only fd00::/8
> has a legitimate documented purpose.

And if you are going to filter fc00::/7 is more future proof.

> Owen
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): misunderstanding scale
• Next message (by thread): misunderstanding scale
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]