misunderstanding scale

Alexander Lopez alex.lopez at opsys.com
Tue Mar 25 05:25:31 UTC 2014



> -----Original Message-----
> From: Naslund, Steve [mailto:SNaslund at medline.com]
> Sent: Monday, March 24, 2014 10:48 PM
> To: Owen DeLong; mark.tinka at seacom.mu
> Cc: nanog at nanog.org
> Subject: RE: misunderstanding scale
> 
> Look at it this way.  If I see an attack coming from behind your NAT, I'm gonna
> deny all traffic coming from your NAT block until you assure me you have it
> fixed because I have no way of knowing which host it is coming from. Now
> your whole network is unreachable. If you have a compromised GUA host I
> can block only him.  Better for both of us, no?

That is assuming that the infected piece does not request another address in the /64, and that the person blocking at the target end blocks a /128 instead of the /64.

> 
> How about a single host spamming behind your NAT blocking your entire
> corporate public network from email services?  Anyone ever see that one.
> Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal
> with that.

I don't want to try to even think about SMTP on IPv6. Reputation of email servers as well as the whole thought process of spam control rely on a list of IP address.

IPv6 adds an entirely new aspect to it.

> 
> Maybe GUAs will convince (scare) more enterprise users to actually treat the
> internal network as an environment that needs to be secured as well.  We
> can only hope.
> 
Most enterprise admins, segment their BYOD (wifi) network from the production network. Some will even use a different WAN ip for the wifi network or in the minimum block outbound request to well known services ports.

I generally see where the only outbound connections allowed are http and https. All other ports are blocked.

> Steven Naslund
> 
> 
> >>Bzzzt... But thanks for playing.
> 
> >>An IPv6 host with a GUA behind a stateful firewall with default deny is
> every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44
> gateway.

I can't argue there.....


> 
> >>Owen
> 
> 





More information about the NANOG mailing list