> -----Original Message----- > From: Naslund, Steve [mailto:snasl...@medline.com] > Sent: Monday, March 24, 2014 10:48 PM > To: Owen DeLong; mark.ti...@seacom.mu > Cc: nanog@nanog.org > Subject: RE: misunderstanding scale > > Look at it this way. If I see an attack coming from behind your NAT, I'm > gonna > deny all traffic coming from your NAT block until you assure me you have it > fixed because I have no way of knowing which host it is coming from. Now > your whole network is unreachable. If you have a compromised GUA host I > can block only him. Better for both of us, no?
That is assuming that the infected piece does not request another address in the /64, and that the person blocking at the target end blocks a /128 instead of the /64. > > How about a single host spamming behind your NAT blocking your entire > corporate public network from email services? Anyone ever see that one. > Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal > with that. I don't want to try to even think about SMTP on IPv6. Reputation of email servers as well as the whole thought process of spam control rely on a list of IP address. IPv6 adds an entirely new aspect to it. > > Maybe GUAs will convince (scare) more enterprise users to actually treat the > internal network as an environment that needs to be secured as well. We > can only hope. > Most enterprise admins, segment their BYOD (wifi) network from the production network. Some will even use a different WAN ip for the wifi network or in the minimum block outbound request to well known services ports. I generally see where the only outbound connections allowed are http and https. All other ports are blocked. > Steven Naslund > > > >>Bzzzt... But thanks for playing. > > >>An IPv6 host with a GUA behind a stateful firewall with default deny is > every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44 > gateway. I can't argue there..... > > >>Owen > >
