|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Assigning IPv6 /48's to CPE's?
On Thu, 03 Jan 2008 10:17:37 EST, William Herrin said: > In my ever so humble opinion, IPv6 will not reach significant > penetration at the customer level until NAT has been thoroughly > implemented. Corporate information security officers will insist. > Here's the thing: a stateful non-NAT firewall is automatically less > secure than a stateful translating firewall. Why? Because a mistake > configuring a NAT firewall breaks the network causing everything to > stop working while a mistake with a firewall that does no translation > causes data to flow unfiltered. Humans being humans, mistakes will be > made. The first failure mode is highly preferable. Which is why, if your site has an *actual* clue, the deployed hosts *also* have their own iptables/ipfilters/whatever-windows-calls-it rulesets that say what hosts are allowed to talk to them. So on the server, I can do: ip6tables -A tcp-in -s ! 2001:468:c80/48 -p tcp --dport 22 -j DROP Now, even if our firewall guys fumble-finger something, I won't get SSH connections coming in from outside AS1312. Of course, I can't talk about business pressures from customers that have incompetent security officers that don't understand stuff like multiple layers of defense... Attachment:
pgp00003.pgp
|