PCI DSS just came up with version 2 in October 2010 and one of the changes was:
"Removed specific references to IP masquerading and use of network address
translation (NAT) technologies and added examples of methods for preventing
private IP address disclosure."
- merike
On Jan 12, 2011, at 1
On 1/12/11 1:03 PM, "Owen DeLong" wrote:
> NATing IPv6 doesn't do anything good. There's no benefit, only cost.
Except for making sure you can switch providers without renumbering, which
can be a significant benefit. (Yes, PI space accomplishes the same thing,
but that's harder to get for most S
--- brandon@brandontek.com wrote:
From: Brandon Kim
To be fair to Cisco and maybe I'm way off here. But it seems they do come out
with a way to do things first which then become a standard that
they have to follow.
ISL/DOT1Q
HSRP/VRRP
etherchannel/LACP
PCI DSS does not require it. It suggests it. It allows you to do other things
which show equivalent security.
Also, the PCI DSS requirements for NAT are not on the web server, they
are on the back-end processing machine which should NOT be the same
machine that is talking to the customers. (I beli
On Jan 13, 2011, at 12:02 AM, Justin Scott wrote:
> The PCI-DSS comes to mind for those who deal with credit card transactions.
Luckily, there are ways to 'comply' with the PCI-DSS security theater regime
without placing the availability and overall security of one's public-facing
servers at
On Jan 12, 2011 7:50 PM, "Richard Barnes" wrote:
>
> Hi all,
>
> What IPv6 prefix lengths are people accepting in BGP from
> peers/customers? My employer just got a /48 allocation from ARIN, and
> we're trying to figure out how to support multiple end sites out of
> this (probably around 10). I
Unfortunately there are some sets of requirements which require this
type of configuration. The PCI-DSS comes to mind for those who deal
with credit card transactions.
-Justin
On Wednesday, January 12, 2011, Dobbins, Roland wrote:
>
> On Mar 21, 2007, at 5:41 AM, Tarig Ahmed wrote:
>
>> Securit
On Mar 21, 2007, at 5:41 AM, Tarig Ahmed wrote:
> Security guy told me is not correct to assign public ip to a server, it
> should have private ip for security reasons.
He's wrong.
> Is it true that NAT can provide more security?
No, it makes things worse from an availability perspective. S
Hi,
On Wed, 12 Jan 2011 22:49:15 -0500
Richard Barnes wrote:
> Hi all,
>
> What IPv6 prefix lengths are people accepting in BGP from
> peers/customers? My employer just got a /48 allocation from ARIN, and
> we're trying to figure out how to support multiple end sites out of
> this (probably ar
If you have to route them separately, your best bet is to go back to ARIN
under the Multiple Discreet Networks policy and get a block of /48s.
Tastes great, fewer problems.
Owen
On Jan 12, 2011, at 7:49 PM, Richard Barnes wrote:
> Hi all,
>
> What IPv6 prefix lengths are people accepting in BG
On 12/01/11 4:28 PM, Jeroen van Aart wrote:
George Bonser wrote:
Awesome. It's good to know that there are still operations like that
around. That is probably found more often in local providers and not
so often in the big operations. The more community oriented
providers would be much mor
If you are going to have each site connected separately to the outside world,
you will want a /48 for each site.
If you are going to aggregate them internally, you can use whatever you want,
although you should be able to get a /48 for each site anyway.
You don't want to announce anything long
In message <4d2e776f.2080...@kenweb.org>, ML writes:
> On 1/12/2011 10:49 PM, Richard Barnes wrote:
> > Hi all,
> >
> > What IPv6 prefix lengths are people accepting in BGP from
> > peers/customers? My employer just got a /48 allocation from ARIN, and
> > we're trying to figure out how to support
On 1/12/2011 10:49 PM, Richard Barnes wrote:
Hi all,
What IPv6 prefix lengths are people accepting in BGP from
peers/customers? My employer just got a /48 allocation from ARIN, and
we're trying to figure out how to support multiple end sites out of
this (probably around 10). I was thinking abo
Hi all,
What IPv6 prefix lengths are people accepting in BGP from
peers/customers? My employer just got a /48 allocation from ARIN, and
we're trying to figure out how to support multiple end sites out of
this (probably around 10). I was thinking about assigning a /56 per
site, but looking at the
On Jan 12, 2011, at 7:23 PM, David Barak wrote:
> I hesitate to venture into this thread, but while Owen is correct in the
> general
> case ("NAT qua NAT provides no more security than a stateful firewall"),
> there
> is a corner case in which security is improved via NAT. The case is that o
I hesitate to venture into this thread, but while Owen is correct in the
general
case ("NAT qua NAT provides no more security than a stateful firewall"), there
is a corner case in which security is improved via NAT. The case is that of an
enterprise network which uses 1918 addressing for all i
Hello all,
I am having very unusual problem with the CSM. This is
what my problems. I have my active CSM setup for a Fault Tolerance
group with a priority of 100 and an alternate of 30 and set to preempt.
Now for some reason I cannot get the standby configure to get the
config
On Jan 12, 2011, at 6:13 PM, William Herrin wrote:
> On Wed, Jan 12, 2011 at 12:16 PM, wrote:
>> On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said:
>>> In a client (rather than server) scenario, the picture is different.
>>> Depending on the specific "NAT" technology in use, the firewall ma
In message ,
William
Herrin writes:
> On Wed, Jan 12, 2011 at 12:16 PM, wrote:
> > On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said:
> >> In a client (rather than server) scenario, the picture is different.
> >> Depending on the specific "NAT" technology in use, the firewall may be
> >> i
On Wed, Jan 12, 2011 at 12:16 PM, wrote:
> On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said:
>> In a client (rather than server) scenario, the picture is different.
>> Depending on the specific "NAT" technology in use, the firewall may be
>> incapable of selecting a target for unsolicited co
What Joe Said.
Static with 1918 space. If they NEED global space, explain 1918
space will work and tell them to use it.
-jim
On Wed, Jan 12, 2011 at 9:02 PM, Joe Hamelin wrote:
>>> There are two companies, Company A and Company B, that are planning to
>>> continuously exchange a large amount
On Wed, Jan 12, 2011, Jon Lewis wrote:
> >Unless you'd like to ensure the sensitive traffic doesn't cross an
> >"unsafer" default rout path if the XC is down.
>
> BGP would have that same issue since B is default routing to their
> provider.
>
> [config for B]
> ip route
> ip route null0 2
On 1/12/2011 3:24 PM, Jeroen van Aart wrote:
>
> What is considered normal with regards to access to your co-located
> server(s)? Especially when you're just co-locating one or a few servers.
Depends on how much you are paying really. If you decide to go with
this provider, get dual power suppli
On 01/12/2011 06:57 PM, Justin Scott wrote:
>> I was thinking that it was great just to find someone these days
>> that would accept a one-off server and that should be enough to
>> be thankful for!
>
> Especially true with providers like SoftLayer which can turn up a
> fully dedicated server to s
>> There are two companies, Company A and Company B, that are planning to
>> continuously exchange a large amount of sensitive data and are located in a
>> mutual datacenter. They decide to order a cross connect and peer privately
>> for the obvious reasons.
Second NIC on a secure server at "A" wi
On Thu, 13 Jan 2011, Adrian Chadd wrote:
On Wed, Jan 12, 2011, Jon Lewis wrote:
On Wed, 12 Jan 2011, Jared Mauch wrote:
I suggest using one of the reserved/private BGP asns for this purpose.
ASNumber: 64512 - 65535
It sounds to me like Company B isn't doing BGP (probably has no exper
> I was thinking that it was great just to find someone these days
> that would accept a one-off server and that should be enough to
> be thankful for!
Especially true with providers like SoftLayer which can turn up a
fully dedicated server to spec at any of several locations within a
few hours.
On Wed, Jan 12, 2011 at 07:13:53PM -0500, Lars Carter wrote:
[snip]
> There are two companies, Company A and Company B, that are planning to
> continuously exchange a large amount of sensitive data and are located in a
> mutual datacenter. They decide to order a cross connect and peer privately
> f
On Wed, Jan 12, 2011 at 07:13:53PM -0500, Lars Carter wrote:
> From an technical, operational, and security standpoint what would be the
> preferred way to route traffic between these two networks?
Static routing - at least "on" the direct link. For extra "security", you
might want to make sure th
Since it sounds like there is no alternate path, it sounds like the most
secure, simplest to operate would be static routes. It's not sexy, but no need
to toss in a routing protocol if it's such a static setup.
--Original Message--
From: Lars Carter
To: NANOG@NANOG.org
Subject: Routing
George Bonser wrote:
Awesome. It's good to know that there are still operations like that around.
That is probably found more often in local providers and not so often in the
big operations. The more community oriented providers would be much more
accepting of such a situation than a large
On Wed, Jan 12, 2011, Jon Lewis wrote:
> On Wed, 12 Jan 2011, Jared Mauch wrote:
>
> >I suggest using one of the reserved/private BGP asns for this purpose.
> >
> >ASNumber: 64512 - 65535
>
> It sounds to me like Company B isn't doing BGP (probably has no experience
> with it) and if there
On 1/12/2011 4:13 PM, Lars Carter wrote:
Hi NANOG list,
I have a simple, hypothetical question regarding preferred connectivity
methods for you guys that I would like to get the hive mind opinion about.
There are two companies, Company A and Company B, that are planning to
continuously exchan
On Wed, 12 Jan 2011, Jared Mauch wrote:
I suggest using one of the reserved/private BGP asns for this purpose.
ASNumber: 64512 - 65535
It sounds to me like Company B isn't doing BGP (probably has no experience
with it) and if there's only a single prefix per side of the cross
connect,
On Jan 12, 2011, at 7:13 PM, Lars Carter wrote:
> Hi NANOG list,
>
> I have a simple, hypothetical question regarding preferred connectivity
> methods for you guys that I would like to get the hive mind opinion about.
>
>
> There are two companies, Company A and Company B ... [ trimmed, but th
Hi NANOG list,
I have a simple, hypothetical question regarding preferred connectivity
methods for you guys that I would like to get the hive mind opinion about.
There are two companies, Company A and Company B, that are planning to
continuously exchange a large amount of sensitive data and are
> From: Kevin Stange
> You're talking about a dedicated server business versus colocation.
> Colocation can be a better solution if you have special needs for
> hardware or want to not pay for the extra overhead that needs to be
> built-in for supporting dedicated hardware (like stocking replacem
Hi,
I am looking for the Enterprise (24x7) technical support contact# for British
Telecom (BT), services provided in USA.
Thanks & Regards,
Natarajan Balasubramanian
Kevin Stange wrote:
I guess what you're saying holds true if the facility doesn't already
offer /anyone/ this access regardless of how much equipment and space
they have.
They offer 24/7 access to 1/3 racks or more.
The price is not that low, $100/month for 1*1U and 1 IP. I'd say that's
not a
If it were cheap and I needed a secondary site for backups and DR then I
would live with that. Otherwise no.
--
Justin Wilson
Aol & Yahoo IM: j2sw
http://www.mtin.net/blog xISP News
http://www.twitter.com/j2sw Follow me on Twitter
Wisp Consulting Tower Climbing Network Support
On 01/12/2011 03:50 PM, George Bonser wrote:
> I would say even that hosting other people's hardware on a "one off"
> basis isn't even really cost effective. Better, in my opinion, for the
> service provider to simply buy a rack from Rackable or another vendor
> and rent the servers out to people.
On 01/12/2011 03:44 PM, david raistrick wrote:
> On Wed, 12 Jan 2011, Jeroen van Aart wrote:
>
>> I guess knowing who entered the building by means of a keycard and
>> having cameras isn't considered enough to deter potential "evil
>> doers". I know it's not enough for places like equinix, but tha
On 1/12/2011 12:24, Jeroen van Aart wrote:
> Cruzio in Santa Cruz recently opened a little co-location facility. That
> makes two of such facilities in Santa Cruz (the other being got.net),
> which could be a good thing for competition.
>
> Their 1U offer comes with limited access to your server,
> From: david raistrick
> Sent: Wednesday, January 12, 2011 1:44 PM
> To: Jeroen van Aart
> Cc: NANOG list
> Subject: Re: co-location and access to your server
>
> On Wed, 12 Jan 2011, Jeroen van Aart wrote:
>
> > I guess knowing who entered the building by means of a keycard and
> having
> >
On Wed, 12 Jan 2011, Jeroen van Aart wrote:
I guess knowing who entered the building by means of a keycard and having
cameras isn't considered enough to deter potential "evil doers". I know it's
not enough for places like equinix, but that's of a different caliber.
Paying for 1u of colo justi
todd glassey wrote:
On 1/12/2011 12:28 PM, Matt Kelly wrote:
When you are talking single or partial rack colo it is generally done
policy. The ISP's limited access policy has to do with their overhead
models and that's all there is to that.
Sorry to bring daylight into this but it is what
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Jan 12, 2011 at 1:16 PM, wrote:
> On Wed, 12 Jan 2011 15:13:43 EST, Scott Helms said:
>> Few home users have a stateful firewall configured
>
> What percent of home users are running a Windows older than XP SP2?
>
I don't have stats per spe
On Jan 12, 2011, at 1:05 PM, Scott Helms wrote:
>
>>
>> That's simply not true. Every end user running NAT is running a stateful
>> firewall with a default inbound deny.
>
> Really? I just tested this with 8 different router models from 5 different
> manufacturers and in all cases the defau
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Jan 12, 2011 at 1:18 PM, wrote:
> On Wed, 12 Jan 2011 11:21:24 PST, Paul Ferguson said:
>
>> Try this at home, with/without NAT:
>>
>> 1. Buy a new PC with Windows installed
>> 2. Install all security patches needed since the OS was installe
On Wed, 12 Jan 2011 11:10:03 -0800
Randy Bush wrote:
> > the first global-scale trial of IPv6, the long-anticipated upgrade to
> > the Internet's main communications protocol known as IPv4.
>
> this phrasing is both amusing and deeply sad. amusing because many folk
> have been running ipv6 glob
On Wed, 12 Jan 2011 16:05:42 EST, Scott Helms said:
> > That's simply not true. Every end user running NAT is running a stateful
> > firewall with a default inbound deny.
> Really? I just tested this with 8 different router models from 5
> different manufacturers and in all cases the default be
On Wed, 12 Jan 2011 11:21:24 PST, Paul Ferguson said:
> Try this at home, with/without NAT:
>
> 1. Buy a new PC with Windows installed
> 2. Install all security patches needed since the OS was installed
>
> Without NAT, you're unpatched PC will get infected in less than 1 minute.
What release o
On 1/12/2011 3:05 PM, Scott Helms wrote:
If someone knows of a model that does block incoming (non-established
TCP) traffic by default I'd like to know about it. That's especially
true of combo DSL modem routers.
I believe Visionnet's v6 dsl modem does, as well as comtrends.
Jack
On Wed, 12 Jan 2011 15:13:43 EST, Scott Helms said:
> Few home users have a stateful firewall configured
What percent of home users are running a Windows older than XP SP2?
pgp0QIpK5GmKt.pgp
Description: PGP signature
That's simply not true. Every end user running NAT is running a stateful
firewall with a default inbound deny.
Really? I just tested this with 8 different router models from 5
different manufacturers and in all cases the default behavior was the
same. Put a public IP on a PC behind the r
Thanks, folks, I got the contact I needed and the ball is rolling.
George
> -Original Message-
> From: George Bonser [mailto:gbon...@seven.com]
> Sent: Wednesday, January 12, 2011 12:32 PM
> To: nanog@nanog.org
> Subject: TeliaSonera US contact?
>
> Does anyone have a (preferably sales
On 1/12/2011 2:57 PM, Owen DeLong wrote:
>> Try this at home, with/without NAT:
>>
>> 1. Buy a new PC with Windows installed
>> 2. Install all security patches needed since the OS was installed
>>
>> Without NAT, you're unpatched PC will get infected in less than 1 minute.
> Wrong.
> Repeat the exp
On 1/12/2011 12:28 PM, Matt Kelly wrote:
When you are talking single or partial rack colo it is generally done as
escorted only, due to security. They can't have anyone coming in and poking
around other customers hardware without being watched. We do the same thing
but we allow 24x7 escorted
Miquel,
Almost no home users have an IPv6 connection currently and the ones
that do are the extreme outliers. IPv6 gear (depending on the
deployment method) will hopefully handle this well, but no I haven't
seen any that did a default drop all. In truth most of the CPE I've
seen don't e
On Wed, 12 Jan 2011, Chris Adams wrote:
Yes, they do. NAT requires a stateful firewall. Why is that so hard to
understand?
Um. No. NAT requires stateful inspection (because NAT needs to maintain
a state table), but does not require a stateful firewall. You can (and
many CPE appliances d
On Jan 12, 2011, at 12:13 PM, Scott Helms wrote:
> Few home users have a stateful firewall configured and AFAIK none of the
> consumer models come with a good default set of rules much less a drop all
> unknown. For end users NAT is and will likely to continue to be the most
> significant and
On Wed, 12 Jan 2011, Jeroen van Aart wrote:
What is considered normal with regards to access to your co-located
server(s)? Especially when you're just co-locating one or a few servers.
For less than 1 rack, or specialty racks with lockable sections (1/2 or
1/3 or 1/4 racks with their own door
No it really doesn't. Thank you for leaving the key word when you
quoted me (configured). The difference is the _default_ behavior of the
two. NAT by _default_ drops packets it doesn't have a mapped PAT
translation for. Home firewalls do not _default_ to dropping all
packets they don't have
If you're co-locating with us, you have access to your equipment 24x7.
And we are also staffed 24x7 in the event you can't get to our location for
whatever reason...(vacation etc...)
Colo's have their own rules I suppose, did you know about this before hosting
with them?
> Date: Wed, 12 Jan
George,
Try Stephen Brown, stephen.br...@teliasonera.com . He is based in
Virginia and has always been very good about telephone contact.
Jeff
On Wed, Jan 12, 2011 at 3:32 PM, George Bonser wrote:
> Does anyone have a (preferably sales) contact with TeliaSonera in the
> US? I have been trying
In article ,
Scott Helms wrote:
>Few home users have a stateful firewall configured and AFAIK none of the
>consumer models come with a good default set of rules much less a drop
>all unknown.
The v6 capable CPEs for home users I've seen so far all include
stateful firewalling with inbound defa
On 1/12/2011 2:13 PM, Scott Helms wrote:
Until someone makes an effort to create either a DMZ entry or starts
doing port forwarding all (AFAIK) of the common routers will drop
packets that they don't know where to forward them.
This can be easily implemented in stateful firewalls for home rou
> What is considered normal with regards to access to your co-located
> server(s)? Especially when you're just co-locating one or a few servers.
Normally you need an escort so you don't go fiddling with other
people's hardware. Our provider has a callout fee if we want to get in
at nights or weeke
Does anyone have a (preferably sales) contact with TeliaSonera in the
US? I have been trying to get someone to speak to me about a product of
theirs (have exchanged email but can't get them on the phone). It might
be the time difference with Europe making things difficult so I am
wondering if some
Once upon a time, Scott Helms said:
> Few home users have a stateful firewall configured
Yes, they do. NAT requires a stateful firewall. Why is that so hard to
understand?
--
Chris Adams
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's
The answer, as always, is "how much do you want to pay?" There are lots of
cheap places that make it a hassle for you to get in so you use their remote
hands, or just let you in on their terms so they don't have to keep the
place open at night.
-Jack Carrozzo
On Wed, Jan 12, 2011 at 3:24 PM, Jero
When you are talking single or partial rack colo it is generally done as
escorted only, due to security. They can't have anyone coming in and poking
around other customers hardware without being watched. We do the same thing
but we allow 24x7 escorted access. Half and full racks get 24x7 acce
24x7x365
On Wed, Jan 12, 2011 at 12:24 PM, Jeroen van Aart wrote:
> Cruzio in Santa Cruz recently opened a little co-location facility. That
> makes two of such facilities in Santa Cruz (the other being got.net),
> which could be a good thing for competition.
>
> Their 1U offer comes with limi
Cruzio in Santa Cruz recently opened a little co-location facility. That
makes two of such facilities in Santa Cruz (the other being got.net),
which could be a good thing for competition.
Their 1U offer comes with limited access to your server, only from 10AM
to 6 PM. I find that not acceptabl
On 1/12/2011 1:35 PM, Owen DeLong wrote:
The corp IT guy is delusional. The solution to the routing disconnect
is map+encap or tunnels. Many exploits now take advantage of these
technologies to use a system compromised through point-click-pwn3d to
provide a route into the rest of the network. If
Le mercredi 12 janvier 2011 à 11:41 -0800, JC Dill a écrit :
> Randy,
>
> If you want to cite list policy, let's start by noting that it's a clear
> violation of the nanog list AUP to setup an autoresponder reply to list
> email[1], no matter if the autoresponder replies to the list or just to
Matthew Kaufman wrote:
Have you considered simply asking them?
Sadly the person I contacted with regards to some colocation business
wasn't able to answer the simplest of question (i.e. from which netblock
do they assign IPs). Or at least the question was met with silence (he
may still be re
Few home users have a stateful firewall configured and AFAIK none of the
consumer models come with a good default set of rules much less a drop
all unknown. For end users NAT is and will likely to continue to be the
most significant and effective front line security they have. Home
router man
On 1/12/11 11:10 AM, Randy Bush wrote:
the first global-scale trial of IPv6, the long-anticipated upgrade to
the Internet's main communications protocol known as IPv4.
this phrasing is both amusing and deeply sad. amusing because many folk
have been running ipv6 globaly for over a decade. de
On Jan 12, 2011, at 11:21 AM, Paul Ferguson wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Wed, Jan 12, 2011 at 11:09 AM, Owen DeLong wrote:
>
>> No, NAT doesn't provide additional security. The stateful inspection that
>> NAT cannot operate without provides the security. Take
On 12/01/11 11:05 AM, Randy Bush wrote:
Well, here it is. Perhaps you might consider getting a gmail or other
account, and posting on NANOG from there. Either that, or filter Randy
out. Personally, I find those silly disclaimers annoying, but am far too
lazy to set up a script such as Randy has.
On Jan 12, 2011, at 9:36 AM, Jack Bates wrote:
> On 1/12/2011 11:21 AM, George Bonser wrote:
>> PAT makes little sense to me for v6, but I suspect you are correct. In
>> addition, we are putting the "fire suit" on each host in addition to the
>> firewall. Kernel firewall rules on each host for t
> There is a least one situation where NAT *does* provide a small amount of
> necessary security.
>
> Try this at home, with/without NAT:
>
> 1. Buy a new PC with Windows installed
> 2. Install all security patches needed since the OS was installed
>
> Without NAT, you're unpatched PC will get infe
On Wed, Mar 21, 2007 at 2:41 AM, Tarig Ahmed wrote:
> We have wide range of Public IP addresses, I tried to assign public ip
> directly to a server behined firewall( in DMZ), but I have been resisted.
> Security guy told me is not correct to assign public ip to a server, it
> should have private i
On Jan 12, 2011, at 9:34 AM, Ted Fischer wrote:
> At 11:59 AM 1/12/2011, Jim postulated wrote:
>
>> On 01/11/2011 01:31 PM, Owen DeLong wrote:
>> > It's not about the number of devices. That's IPv4-think. It's about the
>> > number
>> > of segments. I see a world where each home-entertainment c
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Jan 12, 2011 at 11:09 AM, Owen DeLong wrote:
> No, NAT doesn't provide additional security. The stateful inspection that
> NAT cannot operate without provides the security. Take away the
> address mangling and the stateful inspection still pr
On Jan 12, 2011, at 9:04 AM, William Herrin wrote:
> On Wed, Mar 21, 2007 at 5:41 AM, Tarig Ahmed wrote:
>> We have wide range of Public IP addresses, I tried to assign public ip
>> directly to a server behined firewall( in DMZ), but I have been resisted.
>> Security guy told me is not correct t
On Jan 12, 2011, at 9:07 AM, Jack Bates wrote:
>
>
> On 1/12/2011 11:01 AM, George Bonser wrote:
>> NAT66 is just
>> straight static NAT that maps one prefix to a different prefix.
>>
>
> I'd eat a hat if a vendor didn't implement a PAT equivalent. It's demanded
> too much. There is money fo
> the first global-scale trial of IPv6, the long-anticipated upgrade to
> the Internet's main communications protocol known as IPv4.
this phrasing is both amusing and deeply sad. amusing because many folk
have been running ipv6 globaly for over a decade. deeply sad because
this is taken to be sh
On Jan 12, 2011, at 8:54 AM, Fernando Gont wrote:
> On 12/01/2011 01:17 p.m., George Bonser wrote:
>
>> But your security person needs to shift their thinking because the
>> purpose of NAT and private addressing is to conserve IP address, not to
>> provide security. With IPv6, the concept of NA
> Well, here it is. Perhaps you might consider getting a gmail or other
> account, and posting on NANOG from there. Either that, or filter Randy
> out. Personally, I find those silly disclaimers annoying, but am far too
> lazy to set up a script such as Randy has.
disclaimers used to be against
On Wed, 12 Jan 2011, Lynda wrote:
On 1/12/2011 8:04 AM, Greg Whynott wrote:
list, sorry for this but this is getting a little annoying. I've
tried sending Randy email without luck.. think i'm black listed by
his kit, so if someone would kindly forward this to him?
Well, here it is. Per
On 1/12/2011 11:57 AM, Steven Kurylo wrote:
Some benefit? Yes. Enough benefit to be worth the trouble? I
personally am not convinced.
Some people believe it is. Who am I to tell them how to run their
network? They block facebook and yahoo. I, unfortunately, can't. :)
Considering the am
On 1/12/2011 11:52 AM, Nathan Eisenberg wrote:
I'd argue that the above has everything to do with firewalling, and nothing to
do with NAT.
I agree, but both effectively handle the job. My point is that just
because we have lots of infections behind NAT, doesn't mean that NAT (or
a firewall
On Wed, Jan 12, 2011 at 9:36 AM, Jack Bates wrote:
>
> As my corp IT guy put it to me, PAT forces a routing disconnect between
> internal and external. There is no way to reach the hosts without the
> firewall performing it's NAT function.
But that's not true. If you have NAT, without a firewall
> And yet blaster type worms are less common now, and I still get the
> occasional reinfection reported where a computer shop installs XP pre-patch
> with a public IP. A simple stateful firewall or NAT router would stop that and
> allow them to finish patching the OS. There is always a new attack v
On 1/12/2011 11:21 AM, George Bonser wrote:
PAT makes little sense to me for v6, but I suspect you are correct. In
addition, we are putting the "fire suit" on each host in addition to the
firewall. Kernel firewall rules on each host for the *nix boxen.
As my corp IT guy put it to me, PAT forc
At 11:59 AM 1/12/2011, Jim postulated wrote:
On 01/11/2011 01:31 PM, Owen DeLong wrote:
> It's not about the number of devices. That's IPv4-think. It's
about the number
> of segments. I see a world where each home-entertainment cluster would
> be a separate segment (today, few things use IP, b
>From http://www.networkworld.com/news/2011/011211-world-ipv6-day.html
Several of the Internet's most popular Web sites - including Facebook,
Google and Yahoo - have agreed to participate in the first global-scale
trial of IPv6, the long-anticipated upgrade to the Internet's main
communications pr
1 - 100 of 125 matches
Mail list logo
