Redploying most of 127/8 as unicast public

• Previous message (by thread): Redploying most of 127/8 as unicast public
• Next message (by thread): Redploying most of 127/8 as unicast public
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 10:47:10PM -0500 Quoting Joe Maimon (jmaimon at jmaimon.com):

> layer in front of these classes of devices or that they will be
> deployed|developed with sufficient/equivalent security without that layer is
> not nearly as re-assuring.

The inside/outside paradigm inherent in the reasoning of "NAT is a good,
big part of my firewall" crowd is woefully inadequate to describe and
counter the threats of today. The techniques to get past uni-reachability
(The NATted client can ask the net, but not in reverse) are many and
advanced. Since there is a somewhat inflated belief of the efficiency
of the unroutability paradigm, once inside, the rules tend to be relaxed.

It might very well be so that the resultant protection level will be better
once you realise you can't trust the net to not deliver packets to you. 

Also, I much prefer writing firewall rules where the IP addresses don't
change in-flight. Less to screw up. 
-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE           SA0XLR            +46 705 989668
Of course, you UNDERSTAND about the PLAIDS in the SPIN CYCLE --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20211121/21c1eeb7/attachment.sig>

• Previous message (by thread): Redploying most of 127/8 as unicast public
• Next message (by thread): Redploying most of 127/8 as unicast public
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]