Assigning IPv6 /48's to CPE's?

• Previous message (by thread): Assigning IPv6 /48's to CPE's?
• Next message (by thread): Assigning IPv6 /48's to CPE's?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 03 Jan 2008 10:17:37 EST, William Herrin said:

> In my ever so humble opinion, IPv6 will not reach significant
> penetration at the customer level until NAT has been thoroughly
> implemented. Corporate information security officers will insist.
> Here's the thing: a stateful non-NAT firewall is automatically less
> secure than a stateful translating firewall. Why? Because a mistake
> configuring a NAT firewall breaks the network causing everything to
> stop working while a mistake with a firewall that does no translation
> causes data to flow unfiltered. Humans being humans, mistakes will be
> made. The first failure mode is highly preferable.

Which is why, if your site has an *actual* clue, the deployed hosts *also*
have their own iptables/ipfilters/whatever-windows-calls-it rulesets that
say what hosts are allowed to talk to them. So on the server, I can do:

ip6tables -A tcp-in -s ! 2001:468:c80/48 -p tcp --dport 22 -j DROP

Now, even if our firewall guys fumble-finger something, I won't get
SSH connections coming in from outside AS1312.

Of course, I can't talk about business pressures from customers that have
incompetent security officers that don't understand stuff like multiple
layers of defense...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080103/34962b5f/attachment.sig>

• Previous message (by thread): Assigning IPv6 /48's to CPE's?
• Next message (by thread): Assigning IPv6 /48's to CPE's?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]