As for being "incredibly stupid", well, as I have said in private, calling a
bunch of people rude names without even asking them why they are doing what
you think is so stupid is .. uh .. probably not very bright. :) Unless, of
course, you want everyone else passing judgement on how you run y
This has been a pain for me for years. I have tried to reason with
security people about this and, while they don't dispute my reasoning,
they always end up saying that it is the "standard" practice and that,
lacking any evidence of what it might be breaking, it will continue to
be blocked. And
If you took everything on v4 today and migrated it to v6 tomoro the
routing table would not grow - actually by my calculation it should
shrink (every ASN would only need one prefix to cover its current and
anticipated growth). So we'll see 22 routes reduce to 25000.
Even if you gave everyo
That's the thing .. google's crawlers and search app runs at layer 7, v6 is
an addressing system that runs at layer 3. If we'd (the community) got
everything right with v6, it wouldn't matter to Google's applications whether
the content came from a site hosted on a v4 address, or a v6 address
Won't stateful firewalls have similar issues? Ie, if you craft a stateful
firewall to allow an office to have real IPv6 addresses but not to allow
arbitrary connections in/out (ie, the "stateful" bit), won't said stateful
require protocol tracking modules with similar (but not -as-) complexity
t
Surely that second quote should be "crap, now macrumors can tell that one
person in our office follows them obsessively"? Unless there's
publically-available information that indicates that IP address is your
CEO's (which is a whole other topic -- publically available rDNS for
company-internal
I can give you the root password to a Linux machine running telnetd and
sshd. If it's behind NAT/PAT, you will not get into it. Period.
I'll give you root password to a half a dozen directly connected Linux
boxes and you still won't be able to get in.
I can give you the administrator passwor
But NAT *requires* stateful inspection;
No, NAT does not require this.
In the context of this discussion it does.
Port NAT mapping one IP to many does, but there are other
kinds of NAT.
This is exactly the NAT that is being spoken of though.
this lack of precision can lead to nasty result
Sorry, Owen, but your argument is ridiculous. The original statement was
"[t]here's no security gain from not having real IPs on machines". If
someone said, "there's no security gain from locking your doors", would you
refute it by arguing that there's no security gain from locking your doors
th
Also, it is good to control the Internet addressable devices on your network
by putting them behind a NAT device. That way you have less devices to
concern yourself about that are directly addressable when they most likely
need not be. You can argue that you can do the same with a firewall and
If I read the thread so far correctly, Igor can't enable a single server
with v6, because the instant he updates the DNS so an MX for his domain
references a , that will become the preferred target for his domain
from the entire IPv6 world, and he's gonna need a load balancer from Day 0.
Thi
Actually, for me 100% feature parity (for stuff we use per vip) is a day-1
requirement.
That's obviously your choice. I don't know the first thing about your
application/services/systems but in my case my load balancer has nothing
to do with my application/services- and I would be frightened i
Not speaking directly for my employer (in any official capacity
that is), but it's is *not* as easy as as just IPv6 enabling our network,
enabling ipv6 on the servers, and putting up ipv6.yahoo.com. Currently,
the biggest roadblock we have is loadbalancer support (or, more
specificly, la
There are indeed a few thorny issues with this approach; the largest issue is
that all connectivity becomes DNS-dependent and raw IP addresses (from both
the inside and outside) become virtually useless. Running servers behind
this scheme, while doable, is difficult.
When an ISP's caching name
I guess we have different definitions for "most significant backbones".
Unless you mean they have a dual-stack router running _somewhere_, say, for
instance, at a single IX or a lab LAN or something. Which is not
particularly useful if we are talking about a "significant backbone".
Rather th
I would call that not understanding today's security world. "Scanning"
is not the primary mode of looking for vulnerabilities today. There are
several more effective "come here and get infected" and "click on this
attachment and get infected" techniques.
I'm well aware of the modern security pr
But now PI is there, no more restrictions in the path, so they can use
"traditional" multihoming :-)
If ARIN is going to assign /48's, and people are blocking anything longer
than /32- well then that's a problem :)
-Don
There are "smarter" ways to scan v6 address space than this approach.
My favorite is "First, the attacker may rely on the administrator
conveniently numbering their hosts from [prefix]::1 upward. This
makes scanning trivial."
Most definitely- but not doing that should be considered best practi
This assumes a single machine scanning, not a botnet of 1000 or even the
1.5m the dutch gov't collected 2 yrs ago.
Again, a sane discussion is in order. Scanning isn't AS EASY, but it
certainly is still feasible,
With 1.5 million hosts it will only take 3500 years... for a _single_ /64!
I'm n
We do have dual stack in all our customer sites, and at the time being
didn't got complains or support calls that may be considered due to the
.
So far everyone who has contacted me has generally reported a positive
experience with their transitions.
The biggest complaints so far have com
but ipv6 is more secure, yes? :) (no it is not)
Does the relative security of IVp4 and IPv6 *really* matter on the same Internet
that has Vint Cerf's 140 million pwned machines on it?
was the ":)" not enough: "I'm joking" ??
Just askin', ya know?
some people do think that it does... they
RIPE may only give out /32's but ARIN gives out /48's so there wouldn't be
any deaggregation in that case.
The RIPE NCC assign /48s from 2001:0678::/29 according to ripe-404:
http://www.ripe.net/ripe/docs/ripe-404.html
Yeah I missed that. This matches ARIN's policy for critical
infrastructur
Don't give people an excuse to deagg their /32
RIPE may only give out /32's but ARIN gives out /48's so there wouldn't be
any deaggregation in that case.
That's not what I said. If /48 are accepted by * then people with
a /32 or whatever will deagg to /48.
I understand now that you were refer
grr, it ain't just buying new equipment, it's IT work, its certification
of code/features/bugs, interoperatability. Provisioning, planning,
configmanagement training...
My apologies- I missed the "opex"-I thought you were just referring to
hardware which of course makes no sense.
-Don
On a more serious note, I'd contact them and ask for them to stop.
Barring that call a lawyer and have a fancy letter sent to someone's
boss.
Being as they are a security company it is possible- if unlikely- that
someone typo'd an address range into a vulnerability scanner.
"Never attribute t
How do you get mail.ipv6.yahoo.com to actually get *used*, when your average
user doesn't know where they set 'mail.yahoo.com' in their PC's configuration,
and either don't understand why sometimes's it's foo.com and sometimes it's
www.foo.com, or don't even bother, they just type 'foo' into the
f-root does this on the IPv6 side: 2001:500::/48
Whether that's available everywhere on IPv6 networks, is as Bill pointed-out,
another question.
One of the root servers not being available everywhere seems like a pretty
lousy idea :)
On another note- are there any folks on the list who hav
vixie had a fun discussion about anycast and dns... something about him
being sad/sorry about making everyone have to carry a /24 for f-root
everywhere.
Whether it's a /24 for f-root or a /20 doesn't really make a difference-
it's a routing table entry either way- and why waste addresses.
I t
That said- ARIN is handing out /48's- should we be blocking validly
assigned networks?
your network might have to to protect it's valuable routing slots. There
are places in the v4 world where /24's are not carried either. So, as Bill
said just cause you get an allocation doesn't mean you can
This is useless. Users need to use the same name for both IPv4 and IPv6,
they should not notice it.
It is not useless- I am specificallyt talking about setting it up
initially so that technically capable people can use and test the
infrastructure without breaking anything for those people on v
Anything more specific than /32 is going to be filtered at some portion of
the ISPs whether for the good or bad. There are some subsets of the v6
address space that have a higher chance of /48 working (for some definition
of 'working') than other parts of the address space, though.
More speci
At this point, ISP's should make solid plans for supplying
customers with both IPv4 and IPv6 connectivity, even
if the IPv6 connectivity is solely for their web servers and
mail gateway. The priority is not getting customers to
use IPv6, it's getting their public-facing servers IPv6
reachable
Don't forget customers. Turning this thing on for customers appears to be
non-trivial in many cases.
The only way I can see a customer being affected is if their CPE does
IPv6, it's enabled on the CPE, and it's enabled on their network. If all
of those are true- then the customer probably has
What is the smallest IPv6 advertisement that organizations are going to
honour- are we still looking at a minimum of a /48?
-Don
For core links it should IMHO be mostly possible to keep them IPv4/IPv6
dual-stack. When that is not the case one can always do minimal tunnels
inside the AS. Same for getting transit, it doesn't have to be directly
native, but when getting it try to keep the AS's crossed with a tunnel
for getti
35 matches
Mail list logo
