[arin-discuss] Trying to Understand IPV6
Owen DeLong
owen at delong.com
Mon Sep 13 17:51:11 EDT 2010
On Sep 13, 2010, at 2:13 PM, Mike Lieberman wrote:
> Matthew! Good heavens, no technology is the panacea. Yes with
> NAT/CiscoASA5500/and AV software my 12 yo daughter does a fine job of making a
> mess on her PC... But to suggest that NATs don't knock down a huge amount of
> unwanted traffic is simply unrealistic.
>
> Stateful firewalls can only knock down what they are looking for. Yes proper
> rules the in/out traffic with internal public IP can work nicely, but they are
> far more susceptible to really bad results if done wrong...
>
Huh? No.
A properly configured stateful firewall knocks down everything that isn't a
specifically permitted flow.
NAT doesn't knock down anything other than by preventing you from permitting
inbound flows (or at least adding a couple of hoops to that process).
There's nothing security-wise in NAT that isn't available in stateful inspection.
> Good solutions are the ones that continue to provide better protection were
> improperly implemented.
>
By this line of thinking, the best solution is to merely remove the power supply.
There is always a tradeoff between functionality and reliability.
> Murphy was an optimist. The Average residence has no IT knowledge under the
> roof. Our network designs should always assume that. Public IP fails that test
> to the residential end user.
>
And a stateful inspection firewall with a default-deny-all-inbound policy does
exactly the same job here that you are claiming NAT does on today's IPv4
boxes. No difference.
If the user chooses to change that configuration on their own firewall, then, they
are choosing to change their risk profile. That should be up to the user. Just as
doctors are not allowed to inflict treatment on patients contrary to the patients
wishes, the network should not limit a users choice of permitted network
applications without the users consent.
Owen
>
> -----Original Message-----
> From: Matthew S. Crocker [mailto:matthew at corp.crocker.com]
> Sent: Monday, September 13, 2010 3:01 PM
> To: Mike Lieberman
> Cc: arin-discuss at arin.net; Matthew S. Crocker
> Subject: Re: [arin-discuss] Trying to Understand IPV6
>
>> From: "Mike Lieberman" <mike at netwright.net>
>> To: "Matthew S. Crocker" <matthew at crocker.com>
>> Cc: arin-discuss at arin.net
>> Sent: Monday, September 13, 2010 4:52:01 PM
>> Subject: RE: [arin-discuss] Trying to Understand IPV6
>>
>> We run VoIP over NAT today and while there is a learning curve it is
>> manageable.
>
> Yes it is manageable, My Acme SD does a wonderful job gluing the RTP streams
> together. With IPv6 endpoints we wouldn't need to hairpin the RTP streams.
>
>> Make a mistake in NAT'ed network and NAT will save you in-spite of
>> yourself.
>> Make a mistake in Public IP and you are potentially sunk.
>
> Customers manage to find the viruses just fine on their own, even behind NAT.
> I don't think IPv6 to the desktop is going to change that.
>
>
>>
>> As an advocate for the end user - even when it makes my job harder....
>> NAT
>> isn't evil. Network Engineers who expect all consumers to be
>> knowledgeable are
>> evil. We need to employ technologies that are safe even when used
>> badly.
>> Public addresses on residences fails the test.
>
> Properly configured network devices with a centralized device
> management/config/firmware server could be a service a competent ISP would
> provide. End users don't need to be knowledgeable if their provider does
> their job.
>
> My end users don't manage their Phone config files or firmware, why would I
> have them manage their firewall?
>
>>
>> It's nice that some of you trust public institutions to always behave
>> and do
>> right.
>
> AAAAH, so that is the real issue, you are afraid that 'Big Brother' will spy
> on your IPv6 enabled computer. Do you really think that NAT stops that?
> Backdoors in your NAT router? Viruses that poke holes in your NAT router? It
> is all possible and quite easily do-able. NAT doesn't offer any real
> security.
>
>> Do I offend you that you are in the aggregate in the extreme minority?
>
> Huh?
>
>>
>> -----Original Message-----
>> From: Matthew S. Crocker [mailto:matthew at crocker.com]
>> Sent: Monday, September 13, 2010 2:44 PM
>> To: Mike Lieberman
>> Cc: arin-discuss at arin.net
>> Subject: Re: [arin-discuss] Trying to Understand IPV6
>>
>>
>>
>> In short because NAT is evil. Customers don't normally have a clue
>> what NAT
>> means or if it actually provides security or not. A properly
>> configured home
>> IPv6 appliance can provide the same levels of security without NAT.
>> Stateful
>> packet inspection and real IPv6 addresses on all devices is far
>> superior to
>> NATted IPv4
>>
>> NAT is the bane of my existence as a VoIP provider. If only my phones
>>
>> supported IPv6...
>>
>> -Matt
>>
>> ----- Original Message -----
>>
>>> From: "Mike Lieberman" <mike at netwright.net>
>>> To: arin-discuss at arin.net
>>> Sent: Monday, September 13, 2010 4:17:37 PM
>>> Subject: Re: [arin-discuss] Trying to Understand IPV6
>>>
>>> I have been reading all these discussions (mostly silently) for a
>>> long, long
>>> time. I understand what a /48 is and a /56, /64 and /128. I
>> understand
>>> the
>>> notation.
>>>
>>> Quite frankly what I don't get is why anyone thinks that consumers
>>> want
>>> public numbers inside their home/LANs. Once my customers
>> understood
>>> the
>>> benefit of hiding behind a NAT, they embraced it quite
>> emphatically.
>>>
>>> Put a private residence on public IPv6? Sorry but that makes no
>> sense.
>>>
>>>
>>> Yes I agree that I don't know what people will need in 20 years.
>> And
>>> YES it
>>> is nice that we will have address space in 20 years. But allocating
>> a
>>> /48 to
>>> a home that today uses an IPv4 /30 with a private NAT seems beyond
>>> humorous.
>>> It just sounds insane. Using private addressing that home already
>>> potentially has access thousands of subnets and millions of
>> addresses.
>>>
>>>
>>> RFC 4193 provides even more addresses for use with firewall/NAT
>>> appliances.
>>> Why does a home or business using RFC 4193 need a /48 or even a /56
>> or
>>> /64.
>>>
>>> Just because we have the numbers does not mean we should distribute
>>> them.
>>>
>>>
>>> _________________________
>>> Mike Lieberman, President
>>> Net Wright LLC
>>> Tel: +1-307-857-4898
>>> Fax: +1-307-857-4872
>>>
>>>
>>> -----Original Message-----
>>> From: arin-discuss-bounces at arin.net
>>> [mailto:arin-discuss-bounces at arin.net]
>>> On Behalf Of Dan White
>>> Sent: Monday, September 13, 2010 1:28 PM
>>> To: Tim Howe
>>> Cc: arin-discuss at arin.net
>>> Subject: SPAM: Re: [arin-discuss] Trying to Understand IPV6
>>>
>>> On 13/09/10 12:01 -0700, Tim Howe wrote:
>>>> On Mon, 13 Sep 2010 19:32:33 +0100
>>>> <michael.dillon at bt.com> wrote:
>>>>
>>>>>> If I assigned a customer say an IPV4 /21 in IPV6 this would
>>> translate
>>>>>> into a /56? If I'm not mistaken a /56 would translate into
>>> something
>>>>>> like 65,000 host addresses? That just seems like a lot of
>> hosts
>>> to me,
>>>>>
>>>>> Anyone in this position should simply assign a /48 to every
>>> customer site
>>>>> no matter how big or small. A one bedroom apartment gets a /48.
>> A
>>> manufacturing
>>>>> plant with 5 buildings including a 4-story office block, gets a
>>> /48.
>>>>> No exceptions.
>>>>
>>>> This is slightly different than I have been led to think... It
>>>> seems wise, when you know the customer has no intention of having
>>>> multiple networks, to provide a /64. Not because you fear wasting
>>>
>>> Consider a long range scenario for that customer. A scenario in
>> which
>>> they
>>> may purchase networking equipment for multiple purposes in 5 or 10,
>> or
>>> 20
>>> years that performs layer two separation between different
>> functions
>>> in
>>> their network. E.g. Wifi, Bluetooth/USB, appliances, voice, video,
>>> visitor
>>> access, alarm system, automobiles, utilities, etc.
>>>
>>> I find it benefitial to consider that I probably don't know what a
>>> customer's network will look like in 20 years, and a /48 per
>> customer
>>> is
>>> probably wisest until we've gained more operational experience with
>>> IPv6 in
>>> our own network.
>>>
>>> --
>>> Dan White
>>> _______________________________________________
>>> ARIN-Discuss
>>> You are receiving this message because you are subscribed to
>>> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
>>> Unsubscribe or manage your mailing list subscription at:
>>> http://lists.arin.net/mailman/listinfo/arin-discuss
>>> Please contact info at arin.net if you experience any issues.
>>> No virus found in this incoming message.
>>> Checked by AVG - www.avg.com
>>> Version: 9.0.851 / Virus Database: 271.1.1/3128 - Release Date:
>>> 09/13/10
>>> 00:35:00
>>>
>>> _______________________________________________
>>> ARIN-Discuss
>>> You are receiving this message because you are subscribed to
>>> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
>>> Unsubscribe or manage your mailing list subscription at:
>>> http://lists.arin.net/mailman/listinfo/arin-discuss
>>> Please contact info at arin.net if you experience any issues.
>> No virus found in this incoming message.
>> Checked by AVG - www.avg.com
>> Version: 9.0.851 / Virus Database: 271.1.1/3128 - Release Date:
>> 09/13/10
>> 00:35:00
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.851 / Virus Database: 271.1.1/3128 - Release Date: 09/13/10
> 00:35:00
> _______________________________________________
> ARIN-Discuss
> You are receiving this message because you are subscribed to
> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-discuss
> Please contact info at arin.net if you experience any issues.
More information about the ARIN-discuss
mailing list