Common operational misconceptions
rms2176 at columbia.edu
Thu Feb 16 20:35:03 CST 2012
End user devices will not benefit from end-to-end connectivity (e.g.,
globally routeable IPv4 addresses as opposed to being in a RFC1918
space behind NAT).
If I have a wildcard DNS record, *.example.edu AAAA 2001:db8::5, then
adding in an explicit record, x.example.edu AAAA 2001:db8::5, will
make no visible difference.
There is no legitimate reason for a user to use BitTorrent (someone
will probably disagree with this).
Our organization is not running out of IPv4 addresses so we don't need
IPv6. (Similarly: Our orginization is running out of IPv4 addresses so
that's why we need IPv6.)
I can't use IPv6 because I still need to serve IPv4 clients.
Any IP that starts with 192 is a private IP and any IP that starts
with 169 is a self-assigned.
Authentication by client IP address alone is sufficient.
Long passwords requiring letters, numbers, and symbols with a
no-repeat policy and a 90-day maximum password age are very secure.
+1 for "We should drop all ICMP(v6) traffic." (Related: "I can't ping
the box so it must be down.")
+1 for "NAT is security".
Regarding "DNS only uses UDP", I give out a technical test during
interviews and one of the questions is basically "Use iptables to
block incoming DNS traffic" and all applicants so far have only
blocked UDP port 53.
More information about the NANOG