Hi,
We've decided to bite the bullet, and have posted this IETF I-D:
"Problem Statement about IPv6 Support for Multiple Routers and Multiple
Interfaces"
HTMLized: https://datatracker.ietf.org/doc/html/draft-gont-v6ops-multi-ipv6
TXT: https://www.ietf.org/archive/id/draft-g
Hi,
The IANA IPv6 Global Unicast Address Assignments registry has been updated to
reflect the allocation of the following block to APNIC:
2410::/12 APNIC 2024-11-01
You can find the registry at:
https://www.iana.org/assignments/ipv6-unicast-address-assignments/
The allocation was made in
Looks like they have removed the IPv6 addresses.
% dig nameserver1.mc.duke.edu
;; BADCOOKIE, retrying.
; <<>> DiG 9.21.0-dev <<>> nameserver1.mc.duke.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id
Is there anyone from duke.edu on this list? I am having problems with
IPv6 on one of their sub-delegations causing mail delays. Trying to go
through the front door writes me off with "not our problem".
dm.duke.edu. 21600 IN NS nameserver1.mc.duke.edu.
dm.duke.edu. 21600 IN NS n
rements on IPv6 Extension Headers over the last two/three years.
More specifically, we're trying to evaluate how they are processed by
routers along the path, and so from the edge. Now, we would like to
compare our observations with the reality of operators. For that, we
propose this very
On Thu, Aug 15, 2024 at 2:06 PM John Palmer wrote:
> That's not what they tell me every time I try to apply - they ask for all
> sorts of "justification" and network usage maps, etc.
Hi John,
I got my /44 last year. My documentation wasn't even a page long. The
only thing they hassled me about
ification" and network usage maps, etc.
>
> I have tried 3 times and just get the run-around.
>
> -Original Message-
> From: William Herrin
> Sent: Thursday, August 15, 2024 15:31
> To: John Palmer
> Cc: NANOG mailing list
> Subject: Re: N92 Keynote: APNIC&#
lmer
Cc: NANOG mailing list
Subject: Re: N92 Keynote: APNIC's Geoff Huston - "Whatever Happened to IPv6?" +
More
On Thu, Aug 15, 2024 at 1:21 PM John Palmer wrote:
> What happened? ARIN insists on you signing away your rights to your PI legacy
> IPV4 space in order to get an
On Thu, Aug 15, 2024 at 1:21 PM John Palmer wrote:
> What happened? ARIN insists on you signing away your rights to your PI legacy
> IPV4 space in order to get any allocation of IPV6 space.
Hi John,
That is not the case. ARIN does this if you want IRR or RPKI for your
legacy IPv4 space
What happened? ARIN insists on you signing away your rights to your PI legacy
IPV4 space in order to get any allocation of IPV6 space.
PI holders should get an automatic assignment of IPV6 space if they request it.
People don’t like being extorted. Maybe if they stopped profiteering
Yes "whatever happened to IPv6"?
This should be an interesting Keynote and I cant wait?
Noah
On Thu, 15 Aug 2024, 22:14 Nanog News, wrote:
> *N92 Keynote: APNIC's Geoff Huston to Present "Whatever Happened to IPv6?"*
> *Leading Researcher on IPv4 Exhaustion Will
*N92 Keynote: APNIC's Geoff Huston to Present "Whatever Happened to IPv6?"*
*Leading Researcher on IPv4 Exhaustion Will Shine a Light into a Very Dark
Tunnel*
"The mantra of 'transition to IPv6' has been with us for so long that it
seems we are stuck rather than tr
to get a /28 from cogent for peering on ipv4. I believe we are
> paying for this, but our rep is not getting the concept of it in ipv6. He
> says he can only order a /127 or /48. I don’t mind paying. I
>
> Justin Wilson
> j...@mtin.net
>
> —
> https://j2sw.com (
On 6/12/24 05:51, Mike Hammett wrote:
That doesn't even make any sense. IPv4 is a contended resource, but
IPv6 is not. They're already double-dipping by charging for the extra
BGP sessions.
Perhaps, is the issue that what customers are paying for is the ability
to have mu
That doesn't even make any sense. IPv4 is a contended resource, but IPv6 is
not. They're already double-dipping by charging for the extra BGP sessions.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Origin
We were able to get a /28 from cogent for peering on ipv4. I believe we are
paying for this, but our rep is not getting the concept of it in ipv6. He says
he can only order a /127 or /48. I don’t mind paying. I
Justin Wilson
j...@mtin.net
—
https://j2sw.com (AS399332)
https
Cool, I’ll give it a look, thanks AaronOn Jun 10, 2024, at 6:24 PM, Peter Potvin wrote:That was resolved a couple years back I believe, I'm receiving Google's IPv6 DNS prefix (2001:4860::/32) from Cogent currently but it goes via 6453 before entering 15169's network.PeterOn Mon,
That was resolved a couple years back I believe, I'm receiving Google's
IPv6 DNS prefix (2001:4860::/32) from Cogent currently but it goes via 6453
before entering 15169's network.
Peter
On Mon, Jun 10, 2024 at 5:53 PM Aaron1 wrote:
> Also related to Cogent and v6… I recal
On Jun 10, 2024, at 4:48 PM, Peter Potvin via NANOG
> wrote:
>
>
>
> Cogent stopped offering anything larger than a /31 IPv4 and /127 IPv6 on
> new DIA circuits earlier this year, when previously they provided a /29
> IPv4 and /112 IPv6 without issue at no additional cost. N
It’s Cogent, what do you expect?Friends don’t let friends use Cogent.-MikeOn Jun 10, 2024, at 14:49, Peter Potvin via NANOG wrote:Cogent stopped offering anything larger than a /31 IPv4 and /127 IPv6 on new DIA circuits earlier this year, when previously they provided a /29 IPv4 and /112 IPv6
Also related to Cogent and v6… I recall having Google v6 DNS reachability issue through Cogent previously… is that still a problem?AaronOn Jun 10, 2024, at 4:48 PM, Peter Potvin via NANOG wrote:Cogent stopped offering anything larger than a /31 IPv4 and /127 IPv6 on new DIA circuits earlier this
Cogent stopped offering anything larger than a /31 IPv4 and /127 IPv6 on
new DIA circuits earlier this year, when previously they provided a /29
IPv4 and /112 IPv6 without issue at no additional cost. Now they expect you
to pay additional for this functionality, including for redundant sessions
I am trying to get our Cogent rep to give us a /124 to peer on a Cogent circuit
with. We have multipl routers we want to peer to a cogent transit circuit
with.on.
Does anyone have the magic words or a circuit ID example you are doing multiple
BGP conenctions on a single circuit?
Justin
I am. Shoot me a message offline on what you need and I can put you in contact
with our peering coordinator.
Thanks,
-Jeff
> On May 20, 2024, at 5:21 AM, Nick Olsen wrote:
>
> Anyone with a clue from 5650 monitoring this list?
>
> I'm in the process of turning up a new transit circuit from 56
Anyone with a clue from 5650 monitoring this list?
I'm in the process of turning up a new transit circuit from 5650 and my
account management team has been less than helpful.
The normal contacts aren't getting me anywhere.
Thank you!
> On May 9, 2024, at 6:57 PM, J. Hellenthal wrote:
>
> Port 80, 443, 873 are open on v4
> Port 80 is open on v6
> ICMP is not available on v6
>
> I am assuming the problem you are noticing is due to protocol that you are
> trying to reach?. The ping you are using reported on outages does not
Anyone that can help with AS10796 willing/able to contact me off-list ? I also
have a message posted on outages.
tl;dr: IPv6 issues since ~ 4:30a EDT. Checked from ATLAS probes and they fail
as well so I don’t think it’s just me.
Thanks.
On Tue, Feb 27, 2024 at 12:03 PM 𝑀𝒶𝓇𝒸𝑜 𝒟𝒶𝓋𝒾𝒹𝓈 via NANOG
wrote:
>
> Op 27-02-24 om 16:22 schreef Brotman, Alex:
>
> > We are seeing the same,
>
> Thanks.
>
> > You may also want to ask the mailop list.
>
>
> I was about to do that, when I noticed that the problem seems solved.
sorry about the nois
Op 27-02-24 om 16:22 schreef Brotman, Alex:
We are seeing the same,
Thanks.
You may also want to ask the mailop list.
I was about to do that, when I noticed that the problem seems solved.
--
𝑀𝒶𝓇𝒸𝑜
We are seeing the same, but seems like it's mostly affecting delivery for
broadcom.com, and a few other smaller domains. However, connectivity to the MX
listed by gmail.com (and most other domains using GSuite, etc) are working fine
over IPv6.
You may also want to ask the mailop
Hi,
At https://internet.nl we're seeing IPv6 connection issues on TCP port
25 (SMTP) to mx[1-4].smtp.goog.
Either 100% DROP (so no TCP connection) or ⅔ failure to setup connection.
Further testing seems to confirm the problem is bigger and on Google's side.
So, this fails:
echo &
guardrail." But yes:
we're talking about the same thing.
> I still believe that the statement "IPv6 is typically delivered
> to "most people" without border security" to be demonstrably false.
I concede the claim. I am satisfied with your evidence that I was in error.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
Pv4 functions of the device are disabled. The
> bridge mode is the only "off" setting for the IPv4 firewall.
>
> Correct?
>
> Their IPv6 options *might* include these but also include the option
> to turn the IPv6 firewall off. At which point IPv4 is still firewalle
he
bridge mode is the only "off" setting for the IPv4 firewall.
Correct?
Their IPv6 options *might* include these but also include the option
to turn the IPv6 firewall off. At which point IPv4 is still firewalled
but IPv6 is not and allows all L4 protocols, not just TCP and UDP.
Also corr
OpenWrt, from which much is derived, is default deny on ipv4 and ipv6.
The ipv6 firewall on most cable devices prior to the XB6 is very, very limited.
On Mon, Feb 19, 2024 at 12:44 PM William Herrin wrote:
>
> On Mon, Feb 19, 2024 at 9:23 AM Hunter Fuller wrote:
> > On Mon, Feb 19
On Mon, 19 Feb 2024 09:16:00 -0800
William Herrin wrote:
> I disagree with that one. Limiting discussion to the original security
> context (rather than the wider world of how useful IPv6 is without
> IPv4), IPv6 is typically delivered to "most people" without border
> s
the wider world of how useful IPv6 is without
> > IPv4), IPv6 is typically delivered to "most people" without border
> > security, while IPv4 is delivered with a stateful NAT firewall.
>
> Maybe this is the disconnect. Who delivers v6 without a firewall?
>
> I&#x
On Mon, Feb 19, 2024 at 11:16 AM William Herrin wrote:
> > There isn't really an advantage to using v4 NAT.
> I disagree with that one. Limiting discussion to the original security
> context (rather than the wider world of how useful IPv6 is without
> IPv4), IPv6 is typicall
people, not everyone.
> There isn't really an advantage to using v4 NAT.
I disagree with that one. Limiting discussion to the original security
context (rather than the wider world of how useful IPv6 is without
IPv4), IPv6 is typically delivered to "most people" without border
secu
On Mon, Feb 19, 2024 at 10:22 AM William Herrin wrote:
> Yes and no. The client application has to be programmed to understand
> link-local addresses or it can't use them at all. You can't just say
> "connect to fe80::1." Even if there's an fe80::1 on your network, it
> doesn't work. The client ap
On Mon, Feb 19, 2024 at 8:08 AM Hunter Fuller wrote:
> On Mon, Feb 19, 2024 at 9:17 AM William Herrin wrote:
> > There's also the double-ISP loss scenario that causes Joe to lose all
> > global-scope IP addresses. He can overcome that by deploying ULA
> > addresses (a t
On Mon, Feb 19, 2024 at 11:13 AM Hunter Fuller via NANOG
wrote:
>
> On Mon, Feb 19, 2024 at 9:29 AM Mike Hammett wrote:
> > "In IPv6's default operation, if Joe has two connections then each of
> > his computers has two IPv6 addresses and two default routes. If one
&
t 11:10 AM Hunter Fuller via NANOG
wrote:
>
> On Mon, Feb 19, 2024 at 9:17 AM William Herrin wrote:
> > There's also the double-ISP loss scenario that causes Joe to lose all
> > global-scope IP addresses. He can overcome that by deploying ULA
> > addresses (a third set o
On Mon, Feb 19, 2024 at 9:29 AM Mike Hammett wrote:
> "In IPv6's default operation, if Joe has two connections then each of
> his computers has two IPv6 addresses and two default routes. If one
> connection goes down, one of the routes and sets of IP addresses goes
> away.&q
On Mon, Feb 19, 2024 at 9:17 AM William Herrin wrote:
> There's also the double-ISP loss scenario that causes Joe to lose all
> global-scope IP addresses. He can overcome that by deploying ULA
> addresses (a third set of IPv6 addresses) on the internal hosts, but
> convincing the
www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> --
> *From: *"Michael Thomas"
> *To: *nanog@nanog.org
> *Sent: *Saturday, February 17, 2024 12:50:46 PM
> *Subject: *Re: IPv6 uptake
>
>
> On 2/17/24 10:26 AM, Owen De
orts
where services might actually be running and waiting for connections.
> FWIW, the other enterprise IT security hole I often see: if your VPN is
> IPv6-unaware, but your users have IPv6
> at home (like most in the U.S.), your VPN is now split-tunnel, regardless of
> policy. You
" In IPv6's default operation, if Joe has two connections then each of
his computers has two IPv6 addresses and two default routes. If one
connection goes down, one of the routes and sets of IP addresses goes
away."
This sounds like a disaster.
-
Mike Hammett
Intell
7;s
> already there or not, I don't know. Use case: Joe's Taco Shop.
> Joe doesn't want a down Internet connection to prevent
> transactions from completing, so he purchases two diverse
> broadband connections, say a cable connection and a DSL connection.
Hi Mike,
In IPv
is own, he's just going to do simple NAT.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Original Message -
From: "Michael Thomas"
To: nanog@nanog.org
Sent: Saturday, February 17, 2024 12:50:46 PM
On Mon, Feb 19, 2024 at 5:29 AM Howard, Lee via NANOG wrote:
> In the U.S., the largest operators without IPv6 are (in order by size):
> Lumen (CenturyLink)
CenturyLink has IPv6 using 6rd. It works fine.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
Bottom-posted with old school formatting by hand.
-Original Message-
From: NANOG On Behalf
Of William Herrin
Sent: Friday, February 16, 2024 8:05 PM
To: Michael Thomas
Cc: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)
> On the firewall, I program it to do
If you ever want to know which providers in a country are lagging, Geoff Huston
is here to help:
https://stats.labs.apnic.net/ipv6/US
In the U.S., the largest operators without IPv6 are (in order by size):
Verizon FiOS (they deployed to 50%, discovered a bug, and rolled back)
Frontier
Lumen
On Sun, 18 Feb 2024, 05:29 Owen DeLong via NANOG, wrote:
> Most firewalls are default deny. Routers are default allow unless you put
> a filter on the interface.
>
This is not relevant though. NAT when doing port overloading, as is the
case for most CPE, is not default-deny or default-allow. The
It appears that Nick Hilliard said:
>full control of all modems and they're all relatively recent, properly
>supported units, fully managed by the cable operator. If you start
>adding poor quality cheap units into the mix, it can cause service problems.
The cablecos I've dealt with have a list
Michael Thomas wrote on 18/02/2024 21:18:
So it has its own wireless? I seem to recall that there were some
economic reasons to use their CPE as little as possible to avoid rent.
Has that changed? Or can I run down and just buy a Cablelabs certified
router/modem these days?
There's no short a
On 2/18/24 1:10 PM, Nick Hilliard wrote:
Michael Thomas wrote on 18/02/2024 20:56:
That's really great to hear. Of course there is still the problem
with CPE that doesn't speak v6, but that's not their fault and gives
some reason to use their CPE.
Already solved: cable mod
Michael Thomas wrote on 18/02/2024 20:56:
That's really great to hear. Of course there is still the problem with
CPE that doesn't speak v6, but that's not their fault and gives some
reason to use their CPE.
Already solved: cable modem ipv6 support is usually also excellent, bo
thing,
availability of provider-side ipv6 support is generally excellent on
docsis networks. This includes end-user device support, management,
client and server side provisioning, the works. This is one of the
real ipv6 success stories in the service provider arena.
That's really gre
Michael Thomas wrote on 18/02/2024 20:28:
I do know that Cablelabs pretty early on -- around the time I
mentioned above -- has been pushing for v6. Maybe Jason Livingood can
clue us in. Getting cable operators onboard too would certainly be a
good thing,
availability of provider-side ipv6
"Firewalls and Internet
Security: Repelling the Wily Hacker" and have not read it.
For what it's worth, both editions of Bellovin and Cheswick's Firewalls book
are online. [1] Also, there are discussions about NAT and how it influenced
IPng (eventually IPv6) on the big-internet
On 2/17/24 11:27 AM, William Herrin wrote:
On Sat, Feb 17, 2024 at 10:34 AM Michael Thomas wrote:
I didn't hear about NAT until the
late 90's, iirc. I've definitely not heard of Gauntlet.
Then there are gaps in your knowledge.
Funny, I don't recall Bellovin and Cheswick's Firewall book dis
lls and Internet
> Security: Repelling the Wily Hacker" and have not read it.
For what it's worth, both editions of Bellovin and Cheswick's Firewalls book
are online. [1] Also, there are discussions about NAT and how it influenced
IPng (eventually IPv6) on the big-inte
Concerning the firewall book.
Firewalls and Internet Security, Second Edition
PDF online at
https://www.wilyhacker.com/fw2e.pdf
"Some people think that NAT boxes are a form of
firewall. In some sense, they are, but they're low-end ones."
On 2/17/24 10:22 AM, Justin Streiner wrote:
Getting back to the recently revised topic of this thread - IPv6 uptake -
what have peoples' experiences been related to crafting sane v6 firewall
rulesets in recent products from the major firewall players (Palo Alto,
Cisco, Fortinet, etc)? O
On 2/17/24 2:21 PM, John Levine wrote:
But what happens under the hood at
major mailbox providers is maddeningly opaque so who really knows? It
would be nice if MAAWG published a best practices or something like that
to outline what is actually happening in live deployments.
Unfortunately, spa
It appears that Michael Thomas said:
>I kind of get the impression that once you get to aggregates at the
>domain level like DKIM or SPF, addresses as a reputation vehicle don't
>much figure into decision making.
It definitely does, since there are plenty of IPs that send only
malicious mail, o
On 17/02/2024, 19:27:20, "William Herrin" wrote:
So it does not surprise me that a 1994 book on network security would
not have discussed NAT. They'd have referred to the comparable
contemporary technology, which was "transparent application layer
gateways." Those behaved like what we now call N
On Sat, Feb 17, 2024 at 10:34 AM Michael Thomas wrote:
> I didn't hear about NAT until the
> late 90's, iirc. I've definitely not heard of Gauntlet.
Then there are gaps in your knowledge.
> Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
> NAT.
And mine too, since I hadn'
On Sat, Feb 17, 2024 at 10:22 AM Justin Streiner wrote:
> Getting back to the recently revised topic of this thread - IPv6
> uptake - what have peoples' experiences been related to
> crafting sane v6 firewall rulesets in recent products from the
> major firewall players
On 2/17/24 10:26 AM, Owen DeLong via NANOG wrote:
On Feb 16, 2024, at 14:20, Jay R. Ashworth wrote:
- Original Message -
From: "Justin Streiner"
4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.
NAT doesn't "equal" security.
I can’t speak to Cisco as I don’t have recent experience there. Juniper, Linux, Palo Alto, and most others I’ve dealt with in the last 5 years pose no significant difference in writing policy for IPv6 vs. the process for IPv4. OwenOn Feb 17, 2024, at 10:23, Justin Streiner wrote:We went pretty
> Think of it like this: you have a guard, you have a fence and you have
> barbed wire on top of the fence. Can you secure the place without the
> barbed wire? Of course. Can an intruder defeat the barbed wire? Of
> course. Is it more secure -with- the barbed wire? Obviously.
>
NAT is like the b
Bill, same scenario, but instead of fat fingering an outbound rule, you fat
finger a port map for inbound connections to a different host and get the
destination address wrong.
Still hacked.
NAT doesn’t prevent fat fingers from getting you hacked, it just changes the
nature of the required f
On 2/16/24 6:33 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel wrote:
Depending on where that rule is placed within your ACL, yes that can happen
with *ANY* address family.
Hi Ryan,
Correct. The examples illustrated a difference between a firewall
implementing address
Most firewalls are default deny. Routers are default allow unless you put a
filter on the interface.
NAT adds nothing to security (Bill and I agree to disagree on this), but at
best, it complicates the audit trail.
Owen
> On Feb 16, 2024, at 15:19, Jay R. Ashworth wrote:
>
> - Origina
> On Feb 16, 2024, at 14:20, Jay R. Ashworth wrote:
>
> - Original Message -
>> From: "Justin Streiner"
>
>> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>> to accept in the v4 world.
>
> NAT doesn't "equal" security.
>
> But it is certainly a *compo
o say it again? Okay, I've said it again.
>
> The implication being that we should keep NAT'ing ipv6 for... a thin
> veil of security. That all of the other things that NAT breaks is worth
> the trouble because we can't trust our fat fingers on firewall configs.
Hi Mik
We went pretty deep into the weeds on NAT in this thread - far deeper than
I expected ;)
Getting back to the recently revised topic of this thread - IPv6 uptake -
what have peoples' experiences been related to crafting sane v6 firewall
rulesets in recent products from the major firewall pl
e- is made with the network
configuration. You want me to say it again? Okay, I've said it again.
The implication being that we should keep NAT'ing ipv6 for... a thin
veil of security. That all of the other things that NAT breaks is worth
the trouble because we can't trust ou
e:
> On Fri, Feb 16, 2024 at 7:10 PM John Levine wrote:
> > If you configure your firewall wrong, bad things will happen. I have
> both
> > IPv6 and NAT IPv4 on my network here and I haven't found it particularly
> > hard to get the config correct for IPv6.
>
>
, 2024 8:03 PM
To: John R. Levine
Cc: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)
Caution: This is an external email and may be malicious. Please take care when
clicking links or opening attachments.
On Fri, Feb 16, 2024 at 7:41 PM John R. Levine wrote:
> > That it
On Fri, Feb 16, 2024 at 7:41 PM John R. Levine wrote:
> > That it's possible to implement network security well without using
> > NAT does not contradict the claim that NAT enhances network security.
>
> I think we're each overgeneralizing from our individual expeience.
>
> You can configure a V6
That it's possible to implement network security well without using
NAT does not contradict the claim that NAT enhances network security.
I think we're each overgeneralizing from our individual expeience.
You can configure a V6 firewall to be default closed as easily as you can
configure a NAT
On Fri, Feb 16, 2024 at 7:10 PM John Levine wrote:
> If you configure your firewall wrong, bad things will happen. I have both
> IPv6 and NAT IPv4 on my network here and I haven't found it particularly
> hard to get the config correct for IPv6.
Hi John,
That it's possible t
e
internal address an forward it to the switch. Or the switch helpfully
uses UPNP to do its own port forwarding and you forget to turn it off.
If you configure your firewall wrong, bad things will happen. I have both
IPv6 and NAT IPv4 on my network here and I haven't found it particularly
hard
On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel wrote:
> Depending on where that rule is placed within your ACL, yes that can happen
> with *ANY* address family.
Hi Ryan,
Correct. The examples illustrated a difference between a firewall
implementing address-overloaded NAT and a firewall implementing
5:44 PM
To: William Herrin
Cc: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)
Caution: This is an external email and may be malicious. Please take care when
clicking links or opening attachments.
Why is your Internal v6 subnet advertised to the Internet?
> On Feb 16, 202
On Fri, Feb 16, 2024 at 5:45 PM wrote:
> Why is your Internal v6 subnet advertised to the Internet?
Because that was the example network -without- NAT. If I made two
networks -with- NAT, there would be no difference to show.
I make 2602:815:6000::/44 be 199.33.224.0/23, make 2602:815:6001::/64
b
Why is your Internal v6 subnet advertised to the Internet?
> On Feb 16, 2024, at 8:08 PM, William Herrin wrote:
>
> On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
>> If you know which subnets need to be NAT'd don't you also know which
>> ones shouldn't exposed to incoming connections (o
On Fri, Feb 16, 2024 at 5:33 PM Michael Thomas wrote:
> So you're not going to address that this is a management plain problem.
Hi Mike,
What is there to address? I already said that NAT's security
enhancement comes into play when a -mistake- is made with the network
configuration. You want me t
On 2/16/24 5:30 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 5:22 PM Michael Thomas wrote:
On 2/16/24 5:05 PM, William Herrin wrote:
Now, I make a mistake on my firewall. I insert a rule intended to
allow packets outbound from 2602:815:6001::4 but I fat-finger it and
so it allows them i
On Fri, Feb 16, 2024 at 5:22 PM Michael Thomas wrote:
> On 2/16/24 5:05 PM, William Herrin wrote:
> > Now, I make a mistake on my firewall. I insert a rule intended to
> > allow packets outbound from 2602:815:6001::4 but I fat-finger it and
> > so it allows them inbound to that address instead. So
On 2/16/24 5:05 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
If you know which subnets need to be NAT'd don't you also know which
ones shouldn't exposed to incoming connections (or conversely, which
should be permitted)? It seems to me that all you're doing
On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
> If you know which subnets need to be NAT'd don't you also know which
> ones shouldn't exposed to incoming connections (or conversely, which
> should be permitted)? It seems to me that all you're doing is moving
> around where that knowledge i
> a lot of folks
> making statements about network security on this list don't appear to
> grasp it.
If your network is secure, it isn’t even possible to “accidentally” open
inbound ports in the first place. You either allow it to happen or you don’t
via security policy, anything else means your
- Original Message -
> From: "William Herrin"
> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
>> > From: "Justin Streiner"
>> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>> > to accept in the v4 world.
>>
>> NAT doesn't "equal" security.
>>
>>
On 2/16/24 3:01 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
From: "Justin Streiner"
4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.
NAT doesn't "equal" security.
But it is certainly a *component* of
On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
> > From: "Justin Streiner"
> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> > to accept in the v4 world.
>
> NAT doesn't "equal" security.
>
> But it is certainly a *component* of security, placing control of
- Original Message -
> From: "Justin Streiner"
> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> to accept in the v4 world.
NAT doesn't "equal" security.
But it is certainly a *component* of security, placing control of what internal
nodes are accessible f
1 - 100 of 1155 matches
Mail list logo
