misunderstanding scale
Alexander Lopez
alex.lopez at opsys.com
Tue Mar 25 05:25:31 UTC 2014
> -----Original Message-----
> From: Naslund, Steve [mailto:SNaslund at medline.com]
> Sent: Monday, March 24, 2014 10:48 PM
> To: Owen DeLong; mark.tinka at seacom.mu
> Cc: nanog at nanog.org
> Subject: RE: misunderstanding scale
>
> Look at it this way. If I see an attack coming from behind your NAT, I'm gonna
> deny all traffic coming from your NAT block until you assure me you have it
> fixed because I have no way of knowing which host it is coming from. Now
> your whole network is unreachable. If you have a compromised GUA host I
> can block only him. Better for both of us, no?
That is assuming that the infected piece does not request another address in the /64, and that the person blocking at the target end blocks a /128 instead of the /64.
>
> How about a single host spamming behind your NAT blocking your entire
> corporate public network from email services? Anyone ever see that one.
> Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal
> with that.
I don't want to try to even think about SMTP on IPv6. Reputation of email servers as well as the whole thought process of spam control rely on a list of IP address.
IPv6 adds an entirely new aspect to it.
>
> Maybe GUAs will convince (scare) more enterprise users to actually treat the
> internal network as an environment that needs to be secured as well. We
> can only hope.
>
Most enterprise admins, segment their BYOD (wifi) network from the production network. Some will even use a different WAN ip for the wifi network or in the minimum block outbound request to well known services ports.
I generally see where the only outbound connections allowed are http and https. All other ports are blocked.
> Steven Naslund
>
>
> >>Bzzzt... But thanks for playing.
>
> >>An IPv6 host with a GUA behind a stateful firewall with default deny is
> every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44
> gateway.
I can't argue there.....
>
> >>Owen
>
>
More information about the NANOG
mailing list