On Thu, Mar 31, 2011 at 3:56 AM, Phil Pennock wrote:
> On 2011-03-30 at 14:08 -0400, Derek J. Balling wrote:
>> Not at all. Firewalls get misconfigured by accident. It happens, we're all
>> human. And then you *think* you've got security, because you're trusting
>> your broken firewall, but you
On Thu, 2011-03-31 at 03:59 -0400, Phil Pennock wrote:
> On 2011-03-30 at 14:34 -0500, Matt Lawrence wrote:
> > On Wed, 30 Mar 2011, Dan Foster wrote:
> > > To summarize Derek's position: IPv4 NAT fails safe, IPv6 -- not so much.
> > It's also a defense in depth, the NAT and the firewall on IPV6 ea
On Wed, Mar 30, 2011 at 06:07:28PM -0400, Edward Ned Harvey wrote:
> Therefore, a stateful firewall packet filter at the perimeter is necessary
> to block inbound unsolicited traffic.
>
> Therefore, p2p in general is broken. Unless
>
Having nodes as peers implies that they can participate i
On Thu, 31 Mar 2011, Phil Pennock wrote:
> On 2011-03-30 at 14:08 -0400, Derek J. Balling wrote:
>> Not at all. Firewalls get misconfigured by accident. It happens, we're all
>> human. And then you *think* you've got security, because you're trusting
>> your broken firewall, but you don't.
>>
>>
On 2011-03-30 at 14:34 -0500, Matt Lawrence wrote:
> On Wed, 30 Mar 2011, Dan Foster wrote:
> > To summarize Derek's position: IPv4 NAT fails safe, IPv6 -- not so much.
>
> It's also a defense in depth, the NAT and the firewall on IPV6 each
> provide security.
No. The firewall is what drops the
On 2011-03-30 at 14:08 -0400, Derek J. Balling wrote:
> Not at all. Firewalls get misconfigured by accident. It happens, we're all
> human. And then you *think* you've got security, because you're trusting your
> broken firewall, but you don't.
>
> Unroutable addresses like RFC1918-space don't s
Given that I haven't implemented IPv6 in the least, I probably
shouldn't be wading into this discussion, but I've read a bit about it
a bit. That may not mean so much, though...
So anyway, as I understand it, IPv6 addresses are all about the
address prefix...and one of the prefixes is a link local
I suspect the answer at the moment is that there is no answer. AFAIK
IPv6 isn't really ready to auto-magically open firewalls, This is
generally something you you would only want to happen for consumers.
and not any business/enterprise network.
When the IPv6 has gotten enough traction that broadb
Ok, that other thread got kind of out of control. So let's try this
question again, in a different way:
Given: When using IPv6, some people will use NAT, others won't. Each
person can make their own decision. If you want to dispute that, please
start a new thread instead of this one. I've had
On Wed, 30 Mar 2011, Dan Foster wrote:
> To summarize Derek's position: IPv4 NAT fails safe, IPv6 -- not so much.
It's also a defense in depth, the NAT and the firewall on IPV6 each
provide security.
I'm also concerned about how much information about my internal network
that could leak out ov
Hot Diggety! Dan Foster was rumored to have written:
>
> I'm still undecided, though with reasonable change control and cross
> verification procedures, I think I'd probably find it to be an
> acceptable risk for use of IPv6 NAT given needs.
*sigh*
I _meant_ to say: IPv6 sans NAT...
One of thes
On Mar 30, 2011, at 3:11 PM, Dan Foster wrote:
> To summarize Derek's position: IPv4 NAT fails safe, IPv6 -- not so much.
Exactly.
D
___
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided
Hot Diggety! Derek J. Balling was rumored to have written:
>
> > answering the question: WOULD it have ever forwarded if you had
> > routable IPs behind it? Did RFC1918 ever really save you? And if
> > not, why hold onto it?
>
> If I never had a specific rule "forward a connection inward to
> $PR
On Mar 30, 2011, at 2:49 PM, Tracy Reed wrote:
> Never, not once in my 17 year career managing firewalls, have I found
> that a misconfigured firewall was accidentally forwarding. Have you?
Yes. I've found places where someone fat-fingered an ALLOW rule and had
accidentally allowed MUCH larger s
On Mar 30, 2011, at 2:41 PM, Brian Mathis wrote:
> Also, you keep citing firewall misconfiguration as a reason to do
> other things the wrong way. Once you bring that up, your argument
> becomes invalid since you could say that about anything. "What do you
> mean I don't have backups, I was *def
On Wed, Mar 30, 2011 at 02:08:22PM -0400, Derek J. Balling spake thusly:
> Unroutable addresses like RFC1918-space don't suddenly manage to be
> routable across the world to my servers. It takes a MUCH more heinous
> misconfiguration (static NATs, port-forwarding, etc.) for a
> misconfigured NAT to
On Wed, Mar 30, 2011 at 2:08 PM, Derek J. Balling wrote:
>
> On Mar 30, 2011, at 1:27 PM, Adam Tauno Williams wrote:
>>> I think plenty of people know the difference between NAT and a firewall.
>>> The issue is that if you're in some hacker-hellhole in southeast asia
>>> and my server's IP address
On Mar 30, 2011, at 1:27 PM, Adam Tauno Williams wrote:
>> I think plenty of people know the difference between NAT and a firewall.
>> The issue is that if you're in some hacker-hellhole in southeast asia
>> and my server's IP address is "192.168.1.14", and I haven't
>> *specifically* enabled som
On Wed, 2011-03-30 at 12:30 -0400, Derek J. Balling wrote:
> On Mar 30, 2011, at 10:24 AM, Adam Tauno Williams wrote:
> >> about security. People have come to rely on their IPv4 NAT as a form
> >> of inbound packet filter.
> > Incorrectly, yes. Because they don't know the difference between NAT
On Mar 30, 2011, at 10:24 AM, Adam Tauno Williams wrote:
>> about security. People have come to rely on their IPv4 NAT as a form
>> of inbound packet filter.
>
> Incorrectly, yes. Because they don't know the difference between NAT
> and a firewall.
I think plenty of people know the difference
> "Yves" == Yves Dorfsman writes:
Yves> -half of the people thought it was important to hide the internal
Yves> network and wanted to carry on some form of NATing with IPv6
Yves> -the other half thought firewalling was sufficient and that the
Yves> advantages of each device using its own ip
On 11-03-30 08:02 AM, Edward Ned Harvey wrote:
> One of the barriers to widespread deployment of IPv6 is fear about security.
> People have come to rely on their IPv4 NAT as a form of inbound packet filter.
> So moving forward, it seems only natural that (for people who agree with this
> policy) a
On Wed, 2011-03-30 at 10:02 -0400, Edward Ned Harvey wrote:
> As I recall from previous discussion here and on other lists...
> One of the barriers to widespread deployment of IPv6 is fear
Yes, fear, much in relation to FURFI (fear and uncertainly resulting
from ignorance).
> about security. Pe
As I recall from previous discussion here and on other lists...
One of the barriers to widespread deployment of IPv6 is fear about security.
People have come to rely on their IPv4 NAT as a form of inbound packet
filter. So moving forward, it seems only natural that (for people who agree
with t
24 matches
Mail list logo
