On Wed, 2011-03-30 at 12:30 -0400, Derek J. Balling wrote: > On Mar 30, 2011, at 10:24 AM, Adam Tauno Williams wrote: > >> about security. People have come to rely on their IPv4 NAT as a form > >> of inbound packet filter. > > Incorrectly, yes. Because they don't know the difference between NAT > > and a firewall. > I think plenty of people know the difference between NAT and a firewall. > The issue is that if you're in some hacker-hellhole in southeast asia > and my server's IP address is "192.168.1.14", and I haven't > *specifically* enabled some sort of mapping to allow you to talk to > some other address to talk to that server, you're not going to reach > my server without a whole mess of people doing something wrong in the > middle.
Which will also be true for the most basic and simplest of IPv6 configurations. You've convinced yourself somehow that it won't be - but it will. Block ingress, permit egress, done. For security and usability you are exactly where you are now. > At the same time, though, if I want to initiate an outbound connection > with my server still having its private-address, my firewall will > happily allow me to connect outbound (for software/firmware upgrades, > etc.) No, your NAT enables it, your firewall allows it. IPv6 just throws away the pointless cost of NAT. Your firewall still allows it [or doesn't]. > The "purists" will argue "oh you don't NEED that, all you NEED is a > really great firewall setup", No, you don't need a "really great firewall setup", you just need the basic, and usually default firewall configuration. Allow egress, block ingress, done. > or whatever, but the practical reality is that the existing model > works pretty darned good for a whole lot of use-cases, and IPv6 seems > hell-bent-by-design to break that model. No, the current model really sucks in a lot of use-cases. Software is loaded with all kind of bizarre traversal techniques - just take all that code and throw it in the can. > Because (from the outside looking in), it looks like IPv6 was designed > by religious zealots with not a lot of practical experience. Right, IANA & IETF [and Microsoft, Cisco, and IBM] are a bunch of nubes. Funny. > I'm not saying that's *actually* the case, but IPv6 definitely > resembles a "camel" in a lot of respects. Various portions of the > protocol seem specifically designed to promote some sort of "we know > better than you how you should be running your network" mentality, and > often to the detriment of everyone involved. For example, the way the > DHCP folks undermined the RA usefulness, and the way the router-minded > folks gutted the usefulness of DHCPv6, leaving us with two big piles > of stinking offal that are legitimately attractive, as designed, to a > very small subset of the people who have to use them. See RFC6106; this allows DNS advertisements in router advertisements. The RA vs. DHCP thing was, I believe, kind of poorly conceived; but it is workable. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
