On 3/27/2014 12:19 PM, Luke S. Crawford wrote:
This is a very common problem for dedicated hosting providers (and why
I give my dedicated hosts a vlan and a routed subnet, wasting IPv4.)
Implement what some DSL access providers do. Unnumbered interfaces with
/32 routing to the vlan. The last
On March 26, 2014 at 22:17 o...@delong.com (Owen DeLong) wrote:
>
> Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat.
Hang on, do spammers "grab" address blocks?
Ok, I'm sure it happens, this is not an existence proof.
But is that really a significant characterization
It might make sense to just give everyone their own vlan and their own /64;
that would, of course, bring its own problems and complexities (namely that
I've gotta have the capability to deal with more customers than I can have
native vlans - not impossible to get around, but significant ad
On 03/26/2014 11:14 PM, Owen DeLong wrote:
Why not just use private VLAN layer 2 controls for the privacy you describe?
The technology I know of is what cisco calls 'protected ports' - My
understanding is that those simply mean you can't pass traffic to or
from other 'protected ports' - I
On 2014-03-26, Owen DeLong sent:
> Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat.
>
> Admittedly, /48s are only 65,536 RBL entries per, but I still
> think that address-based reputations are a losing battle in an
> IPv6 world unless we provide some way for providers to h
On Thu, Mar 27, 2014 at 6:17 AM, Owen DeLong wrote:
> > It only takes a single entry if you do not store /128s but that /64. Yes,
> > RBL lookups do not currently know how to handle this, but there are a
> > couple of good proposals around on how to do it.
>
> Then the spammers will grab /48s in
On Mar 26, 2014, at 5:50 PM, Chuck Anderson wrote:
> On Wed, Mar 26, 2014 at 06:52:53PM -0500, Timothy Morizot wrote:
>> On Mar 26, 2014 6:27 PM, "Luke S. Crawford" wrote:
>>> My original comment and complaint, though, was in response to the
>> assertion that DHCPv6 is as robust as DHCPv4. My
On Mar 26, 2014, at 4:25 PM, Luke S. Crawford wrote:
> On 03/26/2014 03:49 PM, Matt Palmer wrote:
>> On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
>>> There are many ways to skin this cat; stateless autoconfig looks
>>> like it mostly works, but privacy extensions seem to be
On Mar 26, 2014, at 10:55 AM, Luke S. Crawford wrote:
> On 03/24/2014 06:18 PM, Owen DeLong wrote:
>> DHCPv6 is no less robust in my experience than DHCPv4.
>>
>> ARP and ND have mostly equivalent issues.
>
> This depends a lot on what you mean by 'robust'
>
> Now, I have dealt with NAT, and
On Mar 26, 2014, at 3:18 AM, Matthias Leisi wrote:
> On Wed, Mar 26, 2014 at 6:31 AM, Owen DeLong wrote:
>
>
>> OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6
>> block, has more than 18 quintillion addresses and there's not a computer on
>> the planet with enough mem
On Wed, Mar 26, 2014 at 06:52:53PM -0500, Timothy Morizot wrote:
> On Mar 26, 2014 6:27 PM, "Luke S. Crawford" wrote:
> > My original comment and complaint, though, was in response to the
> assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6
> does not fill the role that DHCPv4
On Mar 26, 2014 6:27 PM, "Luke S. Crawford" wrote:
> My original comment and complaint, though, was in response to the
assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6
does not fill the role that DHCPv4 fills, if you care about tying an IP to
a MAC and you want that connecti
On 03/26/2014 03:49 PM, Matt Palmer wrote:
On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
There are many ways to skin this cat; stateless autoconfig looks
like it mostly works, but privacy extensions seem to be the default
in many places; outgoing IPv6 from those random addres
On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
> There are many ways to skin this cat; stateless autoconfig looks
> like it mostly works, but privacy extensions seem to be the default
> in many places; outgoing IPv6 from those random addresses will trip
> my BCP38 filters.
Your
If you can figure out how to store an address and a mask you can have any size
entry you want. Just like a routing table. This is not insurmountable.
Steven Naslund
Chicago IL
> OTOH, a spammer with a single /64, pretty much the absolute minimum
> IPv6 block, has more than 18 quintillion add
On Wed, 26 Mar 2014, Luke S. Crawford wrote:
On 03/24/2014 06:18 PM, Owen DeLong wrote:
DHCPv6 is no less robust in my experience than DHCPv4.
ARP and ND have mostly equivalent issues.
This depends a lot on what you mean by 'robust'
Now, I have dealt with NAT, and I see IPv6 as a technol
On 3/26/2014 12:55 PM, Luke S. Crawford wrote:
However, DHCPv6 isn't anywhere near as useful for me, as someone who
normally deals with IPs that don't change, as DHCPv4 is.
My favorite is the RA thing. Years ago I decided that stupid DSLAMs were
better than smart ones, so I generally utili
On 03/24/2014 06:18 PM, Owen DeLong wrote:
DHCPv6 is no less robust in my experience than DHCPv4.
ARP and ND have mostly equivalent issues.
This depends a lot on what you mean by 'robust'
Now, I have dealt with NAT, and I see IPv6 as a technology with the
potential to make my life less unple
John Levine wrote:
>
> If I were a spammer or an ESP who wanted to listwash, I could easily use
> a different IP addres for every single message I sent.
Until mail servers start rate-limiting the number of different addresses
that are used :-) You can do something like the following in Exim, whic
On 03/26/2014 01:09 PM, John Levine wrote:
Quite right. If I were a spammer or an ESP who wanted to listwash, I
could easily use a different IP addres for every single message I
sent. R's, John
Week before last I saw this in great detail, with nearly 100,000
messages sent to our users per day
On 3/26/2014 12:09 PM, John Levine wrote:
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block,
has more than 18 quintillion addresses
and there�s not a computer on the planet with enough memory (or probably not
even enough disk space) to store that
block list.
Someti
>It only takes a single entry if you do not store /128s but that /64. Yes,
>RBL lookups do not currently know how to handle this, but there are a
>couple of good proposals around on how to do it.
Sigh. See previous note on wny aggregating on /64 won't work.
>This would also reduce the risks from
>OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6
>block, has more than 18 quintillion addresses
>and there�s not a computer on the planet with enough memory (or probably not
>even enough disk space) to store that
>block list.
>
>Sometimes scale is everything. host-based r
On Wed, Mar 26, 2014 at 6:31 AM, Owen DeLong wrote:
> OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6
> block, has more than 18 quintillion addresses and there's not a computer on
> the planet with enough memory (or probably not even enough disk space) to
> store that bl
>>>
>>> Thus far, IPv6 has been the "Field of Dreams" those of us who have
>>> built it, we know they have not yet come (the IPv6 customers). That's
>>> all this discussion is really about is "when will they come".
>>
>> Some of us have quite a few IPv6 customers:
>> http://www.worldipv6la
>> IPv6 adds an entirely new aspect to it.
>
> Well, if you mean the entirely new aspect is a list of hex addresses instead
> of dotted decimal addresses I guess so. I personally would rather have a
> list of actual end system addresses than a list of addresses that represent a
> mail server a
On Tue, 25 Mar 2014 09:55:21 -0400, Lee Howard said:
> Some of us have quite a few IPv6 customers:
> http://www.worldipv6launch.org/measurements/
> And we see significant traffic from those users. :-)
I'm actually glad to see that we're no longer on the first page
of that list. ;)
pgpvBn_f_1Zc
On 03/24/2014 09:39 PM, Paul Ferguson wrote:
I'll leave it as an exercise for the remainder of... everywhere to
figure out why there is resistance to v6 migration, and it isn't "just
because" people can't be bothered.
I'm sure there are numerous enterprises in the same shape I am in, with
signif
>>
>> Look at it this way. If I see an attack coming from behind your NAT,
>> I'm gonna deny all traffic coming from your NAT block until you assure
>> me you have it fixed because I have no way of knowing which host it is
>> coming from. Now your whole network is unreachable. If you have a
>
Bob Evans
CTO
>
>
> On 3/24/14 9:12 PM, "Bob Evans" wrote:
>
>>
>>I agree with "one" thing herein
>>
>>> In order for IPv6 to truly work, everyone needs to be moving towards
>>>IPv6.
>>
>>Yep, chicken and the egg. I agree. We built an IPv6 "native" network - no
>>tunneling - no customers to
>
>It is late and I am just rambling, but even with DHCP(4and6) changing IP
>networks is not a trivial thing. Not hard, but it will require a lot more
>planning than what many do today of simply changing the WAN IP address
>and some records in the DNS (if needed)
We tried: http://tools.ietf.org/
On 3/24/14 9:12 PM, "Bob Evans" wrote:
>
>I agree with "one" thing herein
>
>> In order for IPv6 to truly work, everyone needs to be moving towards
>>IPv6.
>
>Yep, chicken and the egg. I agree. We built an IPv6 "native" network - no
>tunneling - no customers to speak of ... didn't even both
On 3/24/14 10:17 PM, "Naslund, Steve" wrote:
>I can easily answer that one as a holder of v4 space at a commercial
>entity. The end user does not feel any compelling reason to move to ipv6
>if they have enough v4 space.
>
>I can't give my employer a solid business case of why they need to make
On Tue, 25 Mar 2014 16:31:17 +1100, Mark Andrews said:
> My bet is the number needing more that a single /64 will exceed the number
> needing just a /64. Most phones really need two /64 for tethering and
> currently there are lots of kludges to work around only one being available.
As a data poi
On 3/24/14 2:38 PM, "William Herrin" wrote:
>On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard wrote:
>> On 3/24/14 1:37 PM, "William Herrin" wrote:
>>>That would be one of those "details" on which smart people disagree.
>>>In this case, I think you're wrong. Modern NAT superseded the
>>>transparen
On Sun, Mar 23, 2014 at 10:07 PM, Naslund, Steve wrote:
> As far as printers being a more dangerous attack vector than computers, I
> definitely don't buy that argument. It does not change in v4 or v6.
Printers are not merely "attack vectors"; they are targets.
It only makes sense to describe t
On Mon, Mar 24, 2014 at 9:12 PM, Bob Evans wrote:
>
> Thus far, IPv6 has been the "Field of Dreams" those of us who have
> built it, we know they have not yet come (the IPv6 customers). That's
> all this discussion is really about is "when will they come".
>
> I know the core of the Interne
On Mar 24, 2014, at 10:12 PM, Alexander Lopez wrote:
>> On Mar 24, 2014, at 9:36 AM, Alexander Lopez
>> wrote:
>>
>>> not to mention the cost in readdressing your entire network when you
>> change an upstream provider.
>>>
>>> Nat was a fix to a problem of lack of addresses, however, the use
In message <7b6af6e9-905a-4d14-b54f-8f244afcf...@delong.com>, Owen DeLong write
s:
>
> On Mar 24, 2014, at 8:52 PM, George Herbert
> wrote:
>
> >
> >
> >
> > On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong wrote:
> >
> > On Mar 24, 2014, at 9:21 AM, William Herrin wrote:
> >
> > > On Sun, Mar 23,
On Mar 24, 2014, at 8:52 PM, George Herbert wrote:
>
>
>
> On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong wrote:
>
> On Mar 24, 2014, at 9:21 AM, William Herrin wrote:
>
> > On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve
> > wrote:
> >> I am not sure I agree with the basic premise here.
;m open to
insights on this.
--
Hugo
On 2014-03-25, Alexander Lopez wrote:
-Original Message-
From: Naslund, Steve [mailto:snasl...@medline.com]
Sent: Monday, March 24, 2014 10:48 PM
To: Owen DeLong; mark.ti...@seacom.mu
Cc: nanog@nanog.org
Subject: RE: misunderstanding scale
Look at
In message , Alexander Lopez writes:
> > On Mar 24, 2014, at 9:36 AM, Alexander Lopez
> > wrote:
> >
> > > not to mention the cost in readdressing your entire network when you
> > > change an upstream provider.
> > >
> > > Nat was a fix to a problem of lack of addresses, however, the use of
> >
> -Original Message-
> From: Naslund, Steve [mailto:snasl...@medline.com]
> Sent: Monday, March 24, 2014 10:48 PM
> To: Owen DeLong; mark.ti...@seacom.mu
> Cc: nanog@nanog.org
> Subject: RE: misunderstanding scale
>
> Look at it this way. If I see an attack com
> On Mar 24, 2014, at 9:36 AM, Alexander Lopez
> wrote:
>
> > not to mention the cost in readdressing your entire network when you
> change an upstream provider.
> >
> > Nat was a fix to a problem of lack of addresses, however, the use of
> private address space 10/8, 192.168/16 has allowed many
On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong wrote:
>
> On Mar 24, 2014, at 9:21 AM, William Herrin wrote:
>
> > On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve
> wrote:
> >> I am not sure I agree with the basic premise here. NAT or Private
> addressing does not equal security.
> >
> > Hi St
On Mar 24, 2014, at 10:35 AM, Laszlo Hanyecz wrote:
>
> On Mar 24, 2014, at 5:05 PM, "Patrick W. Gilmore" wrote:
>
>> On Mar 24, 2014, at 12:21, William Herrin wrote:
>>> On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve
>>> wrote:
>>
I am not sure I agree with the basic premise here.
On Mar 24, 2014, at 9:36 AM, Alexander Lopez wrote:
> not to mention the cost in readdressing your entire network when you change
> an upstream provider.
>
> Nat was a fix to a problem of lack of addresses, however, the use of private
> address space 10/8, 192.168/16 has allowed many to enjo
On Tue, 25 Mar 2014 02:47:31 -, "Naslund, Steve" said:
> Lots and lots of enterprises count on a hard perimeter and almost nothing
> behind it so once I am in behind your NAT, you are unlikely to notice it until
> something real bad happens. That is the state of most enterprise network
> secu
On Mar 24, 2014, at 9:21 AM, William Herrin wrote:
> On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve wrote:
>> I am not sure I agree with the basic premise here. NAT or Private
>> addressing does not equal security.
>
> Hi Steve,
>
> It is your privilege to believe this and to practice it
On Mar 24, 2014, at 9:20 AM, William Herrin wrote:
> On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer wrote:
>> Addressable is not the same as
>> accessible; routable is not the same as routed.
>
> Indeed. However, all successful security is about _defense in depth_.
> If it is inaccessible, unroute
Exactly right. In fact that is generous because the v6 host having a stateful
firewall has a real protocol aware firewall (and often bundled IDS/IPS
capability) not just a NAT to protect him.
The NAT provides almost no security once a single host behind the NAT is
compromised and makes an ou
On Mar 23, 2014, at 11:38 PM, Mark Tinka wrote:
> On Sunday, March 23, 2014 09:35:31 PM Denis Fondras wrote:
>
>> When speaking of IPv6 deployment, I routinely hear about
>> host security. I feel like it should be stated that this
>> is *in no way* an IPv6 issue. May the device be ULA,
>> LLA,
I can easily answer that one as a holder of v4 space at a commercial entity.
The end user does not feel any compelling reason to move to ipv6 if they have
enough v4 space.
I can't give my employer a solid business case of why they need to make the
IPv6 transition. They already hold enough v4
> "Your attack surface has already expanded whether or not you deploy IPv6."
> Not so. If I don't enable IPv6 on my hosts, the attacker can yammer
> away via IPv6 all day long with no result.
If that were true, yes. The reality is that to make that a true statement,
you would have to modify it to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
It is unsettling to see such dismissive attitudes.
I'll leave it as an exercise for the remainder of... everywhere to
figure out why there is resistance to v6 migration, and it isn't "just
because" people can't be bothered.
Your customers are your
On 03/24/2014 06:05 PM, Owen DeLong wrote:
So ULA the printers (if you must).
That doesn’t create a need for ULA on anything that talks to the internet, nor
does it create a requirement to do NPT or NAT66.
From a security perspective, I wouldn't trust my printer to not number
itself with a
On Mar 23, 2014, at 5:24 PM, Mike Hale wrote:
> "I wasn't aware that calling out FUD was derisive, but whatever."
> It's derisive because you completely dismiss a huge security issue
> that, given the state of IPv6 adoption, a great majority of companies
> are facing.
I would say that calling i
On Mar 23, 2014, at 2:45 PM, Paul Ferguson wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 3/23/2014 2:27 PM, Timothy Morizot wrote:
>
>>
>> On Mar 23, 2014 11:27 AM, "Paul Ferguson"
>> mailto:fergdawgs...@mykolab.com>>
>> wrote:
>>> Also, IPv6 introduces some serious securi
I agree with "one" thing herein
> In order for IPv6 to truly work, everyone needs to be moving towards IPv6.
Yep, chicken and the egg. I agree. We built an IPv6 "native" network - no
tunneling - no customers to speak of ... didn't even bother to start IPv6
peering on it.
> Maintaining dual
On Mar 23, 2014, at 11:09 AM, Mark Tinka wrote:
> On Sunday, March 23, 2014 06:57:26 PM Mark Andrews wrote:
>
>> ISP's have done a good job of brain washing their
>> customers into thinking that they shouldn't be able to
>> run services from home. That all their machines
>> shouldn't have a glo
On Mar 22, 2014, at 10:10 PM, John Levine wrote:
>>> It will be a long time
>>> before the price of v4 rises high enough to make it
>>> worth the risk of going v6 only.
>>
>> New ISP's are born everyday.
>>
>> Some of them will be able to have a "Buy an ISP that has
>> IPv4" or "Buy IPv4 spac
On Mon, Mar 24, 2014 at 8:05 PM, Warren Bailey
wrote:
> FYI He tells everyone they¹re cute. Don¹t buy his tricks, he doesn¹t call
> back the next morning.
>
> Ps. Take it easy on each other. It¹s the beginning of spring.. Head
> outside..
Spring!? Snow is in tonight's forecast here in Virginia.
On Mar 22, 2014, at 3:49 PM, Nick Hilliard wrote:
> On 22/03/2014 19:35, Justin M. Streiner wrote:
>> CGN also comes with lots of downside that customers are likely to find
>> unpleasant. For some operators, customer (dis)satisfaction might be the
>> driver that ultimately forces them to deploy
How long, exactly, do you expect 3.2 billion unicast addresses to provide
enough addressing for 6.8+ billion people?
Oh, I'd say a decade. Like I said, I have IPv6 on my server and my home
broadband, which mostly works, with the emphasis on the mostly.
We've just barely started to move from
On Mar 22, 2014, at 12:36 PM, William Herrin wrote:
> On Sat, Mar 22, 2014 at 11:54 AM, Justin M. Streiner
> wrote:
>> On Sat, 22 Mar 2014, William Herrin wrote:
>>> On Sat, Mar 22, 2014 at 10:33 AM, Justin M. Streiner
>>> wrote:
All of these 'Hail Mary' options for 'saving' IPv4 re
IPv4 has already been trading around $10/address.
So the prices quoted a while back don’t make much sense to me.
Further, could you please quantify “vast”? How many /8 equivalents in
a “vast number”?
Until they ran out, APNIC was issuing approximately 1.5 /8s per month.
How long, exactly, do yo
othy Morizot
Cc: NANOG list
Subject: Re: misunderstanding scale
Don't disagree with you there.
I'm saying many an enterprise (small and large) as well as homes operate this
way. There is a lot of unlearning to do.
The whole issue is that a number of enterprises "may"
On Mar 22, 2014, at 10:16 AM, Nick Hilliard wrote:
> On 22/03/2014 16:29, Doug Barton wrote:
>> It is a mistake to believe that the only reason to add IPv6 to your network
>> is size. Adding IPv6 to your network _now_ is the right decision because at
>> some point in the not-too-distant future i
Let’s assume, for a moment, that there are 32 /8s out there that could be
reclaimed.
Let’s further assume that renumbering out of a /8 takes, on average, about 18
months.
(That’s moving almost 1,000,000 customers per month on average, potentially).
Even if we got all 32 /8 equivalents back over
In order for IPv6 to truly work, everyone needs to be moving towards IPv6.
Maintaining dual protocols for the entire internet is problematic, wasteful,
and horribly
inefficient at best. Bottom line, the internet outgrew IPv4 almost 30 years ago
and
we’ve been using various hacks like NAT as a so
FYI He tells everyone they¹re cute. Don¹t buy his tricks, he doesn¹t call
back the next morning.
;)
Ps. Take it easy on each other. It¹s the beginning of spring.. Head
outside.. Go have a beer.. Smoke a joint.. What I am getting at is.. It¹s
possible you guys should relax and realize that in the
>>> You propose stateless NAT64 as an viable alternative to CGN.
^^^
>> where do i do that?
> Nick Hilliard
ahh. i see your error. i am not nick hilliard. he's the cute one.
> Your reply (verbosity added for clarity): "[Sure it is! Unlike where
> folks solve their problem with CGN, v6 to v
On Mon, Mar 24, 2014 at 7:37 PM, Randy Bush wrote:
>> You propose stateless NAT64 as an viable alternative to CGN.
>
> where do i do that?
Nick Hilliard: "don't believe for a moment that v6 to v4 protocol
translation is any less
ugly than CGN."
Your reply (verbosity added for clarity): "[Sure it
> You propose stateless NAT64 as an viable alternative to CGN.
where do i do that?
> The question stands: where are you planning to get the extra IPv4
> addresses for the static 1:1 mapping?
maybe look at the +P in A+P
randy
On Mon, Mar 24, 2014 at 6:46 PM, Randy Bush wrote:
>> And all those IPv4 addresses for the 1:1 translation required by the
>> stateless version are coming from where exactly?
>
> maybe you should read the documents
I did. They were abstruse beyond even the normal level for RFCs but I
made it thro
On Mon, Mar 24, 2014 at 1:37 PM, wrote:
> On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said:
>> You'd expect folks to give up two layers of security at exactly the
>> same time as they're absorbing a new network protocol with which
>> they're yet unskilled? Does that make sense to you from
> And all those IPv4 addresses for the 1:1 translation required by the
> stateless version are coming from where exactly?
maybe you should read the documents
On Mon, Mar 24, 2014 at 2:56 PM, Tore Anderson wrote:
> * William Herrin
>> On Sat, Mar 22, 2014 at 8:19 PM, Randy Bush wrote:
don't believe for a moment that v6 to v4 protocol translation is any less
ugly than CGN.
>>>
>>> it can be stateless
>>
>> You're smarter than that.
>
> https:/
On 3/24/14 10:37 AM, valdis.kletni...@vt.edu wrote:
On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said:
You'd expect folks to give up two layers of security at exactly the
same time as they're absorbing a new network protocol with which
they're yet unskilled? Does that make sense to you fr
> https://tools.ietf.org/html/rfc6145
> https://tools.ietf.org/html/draft-ietf-softwire-map-t-05
> https://tools.ietf.org/html/draft-anderson-siit-dc-00
derived from 6346
randy
On 3/24/14 10:08 AM, William Herrin wrote:
On Mon, Mar 24, 2014 at 12:28 PM, Michael Thomas wrote:
On 03/24/2014 09:20 AM, William Herrin wrote:
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer wrote:
Addressable is not the same as
accessible; routable is not the same as routed.
Indeed. However,
@nanog.org
Subject: Re: misunderstanding scale
On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco wrote:
>> all successful security is about _defense in depth_.
>> If it is inaccessible, unrouted, unroutable and unaddressable then
>> you have four layers of security. If it is merely inaccessibl
* William Herrin
> On Sat, Mar 22, 2014 at 8:19 PM, Randy Bush wrote:
>>> don't believe for a moment that v6 to v4 protocol translation is any less
>>> ugly than CGN.
>>
>> it can be stateless
>
> You're smarter than that.
https://tools.ietf.org/html/rfc6145
https://tools.ietf.org/html/draft-ie
I doubt that many residential customers will be readdressing their networks
except for us geeks. Most of them are going to be using CPE that grabs an
address via DHCP for the WAN interface and then does an IPv6 DHCP PD with the
/64 it gets from the service provider. The customer sees nothing a
> it involves two layers of heterogeneous firewalls (protecting multiple
^
Ugh. Knew I was forgetting something.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one
On Mon, Mar 24, 2014 at 12:37 PM, William Herrin wrote:
> What sort of traction are you getting from that argument when you
> speak with enterprise security folks?
>
Actually, I never even had to make the argument in our enterprise. Our
cybersecurity organization already knew that overall NAT re
On Mon, Mar 24, 2014 at 8:25 AM, Joe Greco wrote:
> Bill Herrin wrote:
>
> I say this with the utmost respect, but you must understand the
> > principle of defense in depth in order to make competent security
> > decisions for your organization. Smart people disagree on the details
> > but the pr
On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard wrote:
> On 3/24/14 1:37 PM, "William Herrin" wrote:
>>That would be one of those "details" on which smart people disagree.
>>In this case, I think you're wrong. Modern NAT superseded the
>>transparent proxies and bastion hosts of the '90s because it do
On Mon, Mar 24, 2014 at 11:36 AM, Alexander Lopez wrote:
> not to mention the cost in readdressing your entire network when you
> change an upstream provider.
>
> Nat was a fix to a problem of lack of addresses, however, the use of
> private address space 10/8, 192.168/16 has allowed many to enjo
On 3/24/14 1:37 PM, "William Herrin" wrote:
>On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco wrote:
>>> I say this with the utmost respect, but you must understand the
>>> principle of defense in depth in order to make competent security
>>> decisions for your organization. Smart people disagree on
On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said:
> You'd expect folks to give up two layers of security at exactly the
> same time as they're absorbing a new network protocol with which
> they're yet unskilled? Does that make sense to you from a
> risk-management standpoint?
The problem i
On Mar 24, 2014, at 13:17 , William Herrin wrote:
> On Mon, Mar 24, 2014 at 1:05 PM, Patrick W. Gilmore wrote:
>> On Mar 24, 2014, at 12:21, William Herrin wrote:
>>> Some folks WANT to segregate their networks from the Internet via a
>>> general-protocol transparent proxy. They've had this cap
]
Sent: Monday, March 24, 2014 12:34 PM
To: Naslund, Steve
Subject: Re: misunderstanding scale
On 3/24/2014 12:53 PM, Naslund, Steve wrote:
> If they have a stateful IPv6 firewall (which they should and which most
> firewall vendors support), they already have what they need to prevent their
&g
On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco wrote:
>> I say this with the utmost respect, but you must understand the
>> principle of defense in depth in order to make competent security
>> decisions for your organization. Smart people disagree on the details
>> but the principle is not only iron c
On Mar 24, 2014, at 5:05 PM, "Patrick W. Gilmore" wrote:
> On Mar 24, 2014, at 12:21, William Herrin wrote:
>> On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve
>> wrote:
>
>>> I am not sure I agree with the basic premise here. NAT or Private
>>> addressing does not equal security.
>
>> M
> On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco wrote:
> >> all successful security is about _defense in depth_.
> >> If it is inaccessible, unrouted, unroutable and unaddressable then you
> >> have four layers of security. If it is merely inaccessible and
> >> unrouted you have two.
> >
> > Time to
> Hi Mike,
>
> You can either press the big red button and fire the nukes or you
> can't, so what difference how many layers of security are involved
> with the "Football?"
>
> I say this with the utmost respect, but you must understand the
> principle of defense in depth in order to make compete
On Mon, Mar 24, 2014 at 1:05 PM, Patrick W. Gilmore wrote:
> On Mar 24, 2014, at 12:21, William Herrin wrote:
>> Some folks WANT to segregate their networks from the Internet via a
>> general-protocol transparent proxy. They've had this capability with
>> IPv4 for 20 years. IPv6 poorly addresses
On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco wrote:
>> all successful security is about _defense in depth_.
>> If it is inaccessible, unrouted, unroutable and unaddressable then you
>> have four layers of security. If it is merely inaccessible and
>> unrouted you have two.
>
> Time to give up two la
On Mon, Mar 24, 2014 at 12:28 PM, Michael Thomas wrote:
> On 03/24/2014 09:20 AM, William Herrin wrote:
>> On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer wrote:
>>> Addressable is not the same as
>>> accessible; routable is not the same as routed.
>>
>> Indeed. However, all successful security is abo
1 - 100 of 195 matches
Mail list logo
