On Wed, Mar 30, 2011 at 2:08 PM, Derek J. Balling <dr...@megacity.org> wrote:
>
> On Mar 30, 2011, at 1:27 PM, Adam Tauno Williams wrote:
>>> I think plenty of people know the difference between NAT and a firewall.
>>> The issue is that if you're in some hacker-hellhole in southeast asia
>>> and my server's IP address is "192.168.1.14", and I haven't
>>> *specifically* enabled some sort of mapping to allow you to talk to
>>> some other address to talk to that server, you're not going to reach
>>> my server without a whole mess of people doing something wrong in the
>>> middle.
>>
>> Which will also be true for the most basic and simplest of IPv6
>> configurations. You've convinced yourself somehow that it won't be -
>> but it will. Block ingress, permit egress, done. For security and
>> usability you are exactly where you are now.
>
> Not at all. Firewalls get misconfigured by accident. It happens, we're all
> human. And then you *think* you've got security, because you're trusting your
> broken firewall, but you don't.
>
> Unroutable addresses like RFC1918-space don't suddenly manage to be routable
> across the world to my servers. It takes a MUCH more heinous misconfiguration
> (static NATs, port-forwarding, etc.) for a misconfigured NAT to open a server
> up to attack.
>
>> No, your NAT enables it, your firewall allows it. IPv6 just throws away
>> the pointless cost of NAT. Your firewall still allows it [or doesn't].
>
> YOU say it's pointless. Lots of people, however, do not see it as such.
> Machines having addresses that are "naturally unrouteble" but still allowing
> them to initiate outbound connections to the outside world as they see fit is
> a very nice feature-set which NAT has made possible.
>
>>> or whatever, but the practical reality is that the existing model
>>> works pretty darned good for a whole lot of use-cases, and IPv6 seems
>>> hell-bent-by-design to break that model.
>>
>> No, the current model really sucks in a lot of use-cases. Software is
>> loaded with all kind of bizarre traversal techniques - just take all
>> that code and throw it in the can.
>
> There's certainly use-cases where it sucks. And for those people, sure,
> accept the additional risk of using publicly-routable-IP space with a
> firewall ruleset in place.
>
> But there's *plenty* of other well-documented use-cases where NAT breaks
> *nothing*, and thus non-NAT'ed IPs run at a *higher* risk because firewalls
> get screwed up from time to time, and now those machines behind it are on
> publicly-reachable IP addresses.
>
>> Right, IANA & IETF [and Microsoft, Cisco, and IBM] are a bunch of nubes.
>> Funny.
>
> Thank you for making my point for me.
>
> My experience tends to be that once you start getting up to the level of "I
> work with the IETF to do stuff" or "I work for IANA" that you very rarely
> have any current "boots on the ground" day to day interaction with the real
> world any more.
>
> Nobody claimed they were newbs. I claimed they had very little practical
> experience (PRACTICAL being the key word there).
>
>> See RFC6106; this allows DNS advertisements in router advertisements.
>> The RA vs. DHCP thing was, I believe, kind of poorly conceived; but it
>> is workable.
>
> How about the myriad other things that DHCP is already configured to hand
> off, including but not limited to WINS, NTP, PXE/BOOTP, etc., etc., etc., all
> of which were gutted out of DHCP and not replaced with anything.
>
> DHCP has "just friggin' worked" for a long time, and a bunch of religious
> zealots ruined it for v6. There's no practical reason why DHCPv6 couldn't
> have worked *exactly* in v6 the same way it did in v4, other than egos and
> zealotry.
>
> Cheers,
> D
Look, this debate has already taken place and it's been over for a
long time. All the issues have been hashed and rehashed for many
years. If you want to use a private IPv6 address go ahead:
http://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
It's easy to get into a certain type of thinking, especially since
we've had IPv4 for so long. Now it's time to change, and the changes
here are not even that drastic: "Use real firewall instead of
incorrectly relying on NAT". Big deal.
Also, you keep citing firewall misconfiguration as a reason to do
other things the wrong way. Once you bring that up, your argument
becomes invalid since you could say that about anything. "What do you
mean I don't have backups, I was *definitely* saving them to this ham
sandwich for years!"
// Brian Mathis
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
