Assigning IPv6 /48's to CPE's?

William Herrin herrin-nanog at dirtside.com
Thu Jan 3 17:53:24 UTC 2008


On Jan 3, 2008 11:25 AM, Tim Franklin <tim at pelican.org> wrote:
> Only assuming the nature of your mistake is 'turn it off'.
>
> I can fat-finger a 'port-forward *all* ports to important internal
> server', rather than just '80/TCP' pretty much exactly as easily as I can
> fat-finger 'permit *all* external to important internal server' rather
> than just '80/TCP'.

Tim,

While that's true of firewalled servers that are intended to provide
services to the Internet at large, the vast majority of equipment
behind a typical NAT firewall provides no services whatsoever to the
Internet and do not each map to their own global IP address. They are
client PCs and a scattering of LAN servers.

You can fat-finger "allow all ports inbound" in a stateful firewall
far easier than you fat finger "translate a bank of global IP
addresses I don't actually have on a one-to-one basis to this large
list of local-scope IP addresses -and- allow all ports inbound" in a
NAT firewall. Actually, the latter is pretty hard to configure at all,
let alone fat-finger by mistake.


> I'll grant the 'everything is disconnected' case is easier to spot, though
> - especially if you don't have proper change management to test that the
> change you made is the change you think you made.

Do you mean to tell me there's actually such a thing as a network
engineer who creates and uses a test plan every single time he makes a
change to every firewall he deals with? I thought such beings were a
myth, like unicorns and space aliens!

Regards,
Bill Herrin



-- 
William D. Herrin                  herrin at dirtside.com  bill at herrin.us
3005 Crane Dr.                        Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004



More information about the NANOG mailing list