misunderstanding scale

Timothy Morizot tmorizot at gmail.com
Mon Mar 24 12:56:13 UTC 2014


On Mon, Mar 24, 2014 at 1:38 AM, Mark Tinka <mark.tinka at seacom.mu> wrote:

> On Sunday, March 23, 2014 09:35:31 PM Denis Fondras wrote:
> > When speaking of IPv6 deployment, I routinely hear about
> > host security. I feel like it should be stated that this
> > is *in no way* an IPv6 issue. May the device be ULA,
> > LLA, GUA or RFC1918-addressed, the device is at risk
> > anyway.
> >
> > If this is the only argument for delaying IPv6
> > deployment, this sounds more like FUD to me ;-)
>
> I guess it's no surprise that host security is not an IPv4
> or IPv6 issue.
>
> It's just that with IPv4, the majority of unclean and
> unupdated hosts have been living behind NAT44.
>
> In an ideal IPv6 world, all hosts have GUA's, and in this
> case, host security becomes a bigger problem, because now
> the host is directly accessible without a NAT66 in between
> (we hope).
>
>
NAT traversal is and has long been fairly trivial. NAT and RFC1918 provides
no meaningful host protection whatsoever and never has. The only thing that
limits direct access to internal networks is a stateful firewall. (Well,
IPS can also drop packets.) That's true for IPv4 and for IPv6. So an
enterprise relying n NAT44 and RFC1918 for internal host protection instead
of a stateful firewall already has no meaningful security in place. There's
no way for IPv6 to make things any worse other than puncturing the delusion
under which they are currently operating.

Scott


More information about the NANOG mailing list