Mark,
I really did not mean things that way when I used the word "happy". Let
say that I am concerned with it and that means if anyone can express
their views towards being more secure with ipv6, I am sure to
considerate it. We probably diverge on opinions about exposing MAC
addresses as a public address and that is ok and maybe it is not a big
deal anyway.
Thanks for your views on the issue!
Eduardo
On 8/4/13 6:12 PM, Mark Andrews wrote:
In message <51feb96d.3070...@pacbell.net>, Eduardo Bonsi writes:
Hello Everyone,
I have some questions about ipV6 transition and DNS configuration!
I am preparing to make my transition to a dual stack ipv4, ipv6 and I
have some concerns in regards to the security of the network since ipv6
do not have NAT. My ISP gave me a Global
2602:000:000:000:000:000:000:000/64
Truly, your ISP should be giving you a /48 or as a minumum a /56.
A /64 is is single subnet. Your ISP will be getting addresses based
on giving customers a /56 or /48.
Range and I can just turn on ipV6 on
the router and set the network to automatic on the computer and I am
connected through what they call a SLAAC ipV6 automatic conf network,
that runs using the machine MAC address in which I am not very happy to
adopt. I well know there is a way to mask the MAC address to random
addresses as a security measure but I am still not happy about it.
And why are you not happy? Because someone said their was a issue
with it. Do you understand the reasoning behind the issue and does
it apply to your use of the network because in many cases it doesn't.
Too often I see people complaining that MAC addresses are buried
in IPv6 addresses when in reality it is *not* a security issue for
the use case.
Modern IPv6 stacks use both types of address for different purposes.
Saying one is unhappy is quite often a knee jerk reaction that
doesn't standup to rigorous analysis. This is not to say you havn't
done that analysis but given modern stacks I find complaints like
this just don't stack up.
Beside, there are all the BIND DNS configuration that needs to be routed
or I am stack with a slow broke SLAAC connection that it works, but not
to the level of the a DNS Server that I want to achieve. Therefore, as a
network design after analyzing my options, I have decided to use the
static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last
bit of the ipv4 NAT addresses already in place. This static option does
not expose the machine MAC addresses.
However the addresses are directed
connected through ipV6 bypassing the NAT environment. On BIND, the only
change I have in the named.conf file is the,
listen-on-v6 { any; };
Therefore, here are my questions:
1. I am open to ideas or anything you think is best choosing the best
internal network design for ipV6.
Get more address space from your ISP. Use tempory addresses.
2. Since this static ipV6 deployment lacks the non-rotatable NAT
environment, what are the security measures to take on BIND in regards
to the recursive issues on ipV6?
Same as with IPv4. Locally connected networks are allowed to
recurse.
3. Are there any other security issues that should I considerate?
Many Thanks!
Eduardo
--
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
webmas...@beart.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
