AWS Elastic IP architecture

Matthew Kaufman matthew at matthew.at
Tue Jun 2 15:08:45 UTC 2015


On 6/1/15 10:12 PM, Mark Andrews wrote:
> In message <556D35DF.8080901 at matthew.at>, Matthew Kaufman writes:
>> On 6/1/2015 6:32 PM, Mark Andrews wrote:
>>> In message <CAL9jLaaQUP1UzoKag3Kuq8a5bMcB2q6Yg=B_=1fFWxRN6K-bNA at mail.gmail.
>> com
>>>> , Christopher Morrow writes:
>>>> On Mon, Jun 1, 2015 at 9:02 PM, Ca By <cb.list6 at gmail.com> wrote:
>>>>> On Monday, June 1, 2015, Mark Andrews <marka at isc.org> wrote:
>>>>>> In message
>>>>>> <CAL9jLaYXCdfViHbUPx-=rs4vSx5mFECpfuE8b7VQ+Au2hCXpMQ at mail.gmail.com>
>>>>>> , Christopher Morrow writes:
>>>>>>> So... I don't really see any of the above arguments for v6 in a vm
>>>>>>> setup to really hold water in the short term at least.  I think for
>>>>>>> sure you'll want v6 for public services 'soon' (arguably like 10 yrs
>>>>>>> ago so you'd get practice and operational experience and ...) but for
>>>>>>> the rest sure it's 'nice', and 'cute', but really not required for
>>>>>>> operations (unless you have v6 only customers)
>>>>>> Everyone has effectively IPv6-only customers today.  IPv6 native +
>>>>>> CGN only works for services.  Similarly DS-Lite and 464XLAT.
>>>> ok, and for the example of 'put my service in the cloud' ... the
>>>> service is still accessible over ipv4 right?
>>> It depends on what you are trying to do.  Having something in the
>>> cloud manage something at home.  You can't reach the home over IPv4
>>> more and more these days as.  IPv6 is the escape path for that but
>>> you need both ends to be able to speak IPv6.
>> ...and for firewalls to not exist. Since they do, absolutely all the
>> techniques required to "reach something at home" over IPv4 are required
>> for IPv6. This is on the "great myths of the advantages of IPv6" list.
> For IPv4 you port forward in the NAT possibly doing port translation
> as will as address translation.

Takes about 30 seconds in the web interface of your CPE.

>
> For IPv6 you open the port inbound in the firewall or just move the
> firewalling to the host.

Takes about 30 seconds in the web interface of your CPE.

>
> IPv6 is easier.  With modern machines you really can get rid of the
> firewall in front of the machine.

For the good of the botnet operators, I encourage doing this.

I can't run my laser printer without a firewall in front of it, and I 
can't even guess how secure the controller in the septic system pump box 
might be... so I don't risk it. And I *know* that some of the webcams I 
have are vulnerable and have no updates available.

> Lots of the equipement that
> connects to the home nets spends plenty of time fully exposed to
> the Internet w/o a firewall.

I don't believe that's accurate.

>   If it does that why does it need a
> firewall at home?
>
> There is a myth that you need a firewall at home.

Perpetuated by all the actual cases of poorly designed operating systems 
and embedded systems getting attacked and making the news as a result 
(http://www.insecam.org/ among others)

>
>> IPv6 has exactly one benefit... there's more addresses. It comes with a
>> whole lot of new pain points, and probably a bunch of security nightmare
>> still waiting to be discovered. And it for sure isn't free.
> It also remove a whole lot of complications.  Simplifies the security
> profile.

If you think that the NDP DOS exposure is a "simplification" of 
security, then I'd love to hear more about the benefits of IPv6.

Matthew Kaufman




More information about the NANOG mailing list