Common operational misconceptions

Ridwan Sami rms2176 at columbia.edu
Thu Feb 16 20:35:03 CST 2012


End user devices will not benefit from end-to-end connectivity (e.g.,  
globally routeable IPv4 addresses as opposed to being in a RFC1918  
space behind NAT).

If I have a wildcard DNS record, *.example.edu AAAA 2001:db8::5, then  
adding in an explicit record, x.example.edu AAAA 2001:db8::5, will  
make no visible difference.

There is no legitimate reason for a user to use BitTorrent (someone  
will probably disagree with this).

Our organization is not running out of IPv4 addresses so we don't need  
IPv6. (Similarly: Our orginization is running out of IPv4 addresses so  
that's why we need IPv6.)

I can't use IPv6 because I still need to serve IPv4 clients.

Any IP that starts with 192 is a private IP and any IP that starts  
with 169 is a self-assigned.

Authentication by client IP address alone is sufficient.

Long passwords requiring letters, numbers, and symbols with a  
no-repeat policy and a 90-day maximum password age are very secure.

+1 for "We should drop all ICMP(v6) traffic." (Related: "I can't ping  
the box so it must be down.")

+1 for "NAT is security".

Regarding "DNS only uses UDP", I give out a technical test during  
interviews and one of the questions is basically "Use iptables to  
block incoming DNS traffic" and all applicants so far have only  
blocked UDP port 53.



More information about the NANOG mailing list