On Mar 30, 2011, at 1:27 PM, Adam Tauno Williams wrote: >> I think plenty of people know the difference between NAT and a firewall. >> The issue is that if you're in some hacker-hellhole in southeast asia >> and my server's IP address is "192.168.1.14", and I haven't >> *specifically* enabled some sort of mapping to allow you to talk to >> some other address to talk to that server, you're not going to reach >> my server without a whole mess of people doing something wrong in the >> middle. > > Which will also be true for the most basic and simplest of IPv6 > configurations. You've convinced yourself somehow that it won't be - > but it will. Block ingress, permit egress, done. For security and > usability you are exactly where you are now.
Not at all. Firewalls get misconfigured by accident. It happens, we're all human. And then you *think* you've got security, because you're trusting your broken firewall, but you don't. Unroutable addresses like RFC1918-space don't suddenly manage to be routable across the world to my servers. It takes a MUCH more heinous misconfiguration (static NATs, port-forwarding, etc.) for a misconfigured NAT to open a server up to attack. > No, your NAT enables it, your firewall allows it. IPv6 just throws away > the pointless cost of NAT. Your firewall still allows it [or doesn't]. YOU say it's pointless. Lots of people, however, do not see it as such. Machines having addresses that are "naturally unrouteble" but still allowing them to initiate outbound connections to the outside world as they see fit is a very nice feature-set which NAT has made possible. >> or whatever, but the practical reality is that the existing model >> works pretty darned good for a whole lot of use-cases, and IPv6 seems >> hell-bent-by-design to break that model. > > No, the current model really sucks in a lot of use-cases. Software is > loaded with all kind of bizarre traversal techniques - just take all > that code and throw it in the can. There's certainly use-cases where it sucks. And for those people, sure, accept the additional risk of using publicly-routable-IP space with a firewall ruleset in place. But there's *plenty* of other well-documented use-cases where NAT breaks *nothing*, and thus non-NAT'ed IPs run at a *higher* risk because firewalls get screwed up from time to time, and now those machines behind it are on publicly-reachable IP addresses. > Right, IANA & IETF [and Microsoft, Cisco, and IBM] are a bunch of nubes. > Funny. Thank you for making my point for me. My experience tends to be that once you start getting up to the level of "I work with the IETF to do stuff" or "I work for IANA" that you very rarely have any current "boots on the ground" day to day interaction with the real world any more. Nobody claimed they were newbs. I claimed they had very little practical experience (PRACTICAL being the key word there). > See RFC6106; this allows DNS advertisements in router advertisements. > The RA vs. DHCP thing was, I believe, kind of poorly conceived; but it > is workable. How about the myriad other things that DHCP is already configured to hand off, including but not limited to WINS, NTP, PXE/BOOTP, etc., etc., etc., all of which were gutted out of DHCP and not replaced with anything. DHCP has "just friggin' worked" for a long time, and a bunch of religious zealots ruined it for v6. There's no practical reason why DHCPv6 couldn't have worked *exactly* in v6 the same way it did in v4, other than egos and zealotry. Cheers, D _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
