Nat
'Matt Palmer'
mpalmer at hezmatt.org
Mon Dec 21 05:49:38 UTC 2015
On Sun, Dec 20, 2015 at 10:54:49PM -0500, Chuck Church wrote:
> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Matt Palmer
> >Depends on how many devices you have on it. Once you start filling your
> >home with Internet of Unpatchable Security Holes devices, having everything
> >on a single ethernet >segment might start to get a little... noisy.
>
> >Thankfully, IPv6 has well-defined multicast scopes, which makes it
> >trivially easy to do cross-L2-segment service discovery without needing to
> >resort to manually berking around >with firewall rules.
>
> If your home is full of unpatched or compromised hosts, and they're using
> these well-defined multicast scopes, doesn't that mean they can now
> communicate and infect one another?
No, multicast for discovery doesn't necessarily mean that the application
traffic can also pass. The discovery multicast packets could be filtered at
any point within the network, also.
However, access control isn't what you asked about. You claimed that
multiple L2 segments broke service discovery, and I refuted that point.
> For years I've seen people on this list
> insist on "NAT/PAT != firewall". Well, a router routing everything it sees
> is even less of a firewall.
Correct. However, nowhere did I suggest that a router should be routing
absolutely everything it sees.
> I'm really not trying to be argumentative here,
And yet, you're doing an awfully good job of being argumentative, about a
subject you really don't seem to know a whole lot about.
> but I'm just having a hard time believing Joe Sixpack will be applying
> business networking principals such as micro-segmenting to a home network
> with 3 to 7 devices on it. If anything, these complexities we keep
> adding/debating such as DHCP vs RA, prefix delegation, etc are only slowing
> down the general deployment of IPv6.
Yes, it's a pity that people who refuse to learn about the new features that
IPv6 provides keep trying to shoehorn IPv6 into their legacy mindset, but
there's not a whole lot the rest of us can do about that.
- Matt
More information about the NANOG
mailing list