Agreed. Awesome.
----- Original Message ----- From: Tyler Treat To: [email protected] Sent: Wednesday, July 01, 2015 12:32 PM Subject: Re: [AFMUG] private ipv4 sale / leases I love this. It should be published in the book of Steveisms. ___________________________ Mangled by my iPhone. ___________________________ Tyler Treat [email protected] ___________________________ On Jul 1, 2015, at 12:26 PM, That One Guy /sarcasm <[email protected]> wrote: I correlate the NAT security to a daughters bedroom. Most fathers dont have an exterior door on their daughters bedroom You dont just walk directly in, sure somebody can put a ladder to her window (port forward) but by defaul there is a slight measure of security because you have to come in the house door and traverse your way to her bedroom Now, its always best to have a firewall (you put the daughters bedroom at the end of the hall past dads room) Then to be super secure, you put in a Smith and Wesson IDS On Wed, Jul 1, 2015 at 11:25 AM, Justin Wilson - MTIN <[email protected]> wrote: Very Correct Glen. Nat is not secure. It’s like blending your door into the rest of your house. The door is still there just a little harder to find. But if there are no locks it’s still an unlocked door. Justin --- Justin Wilson <[email protected]> http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On Jul 1, 2015, at 12:21 PM, Glen Waldrop <[email protected]> wrote: I think we're having two different conversations here. I'm using NAT with a firewall. I don't think anyone is saying NAT by itself is secure. ----- Original Message ----- From: Justin Wilson - MTIN To: [email protected] Sent: Wednesday, July 01, 2015 11:01 AM Subject: Re: [AFMUG] private ipv4 sale / leases IPV6 is very DNS orientated. There is no way you are going to remember ip addresses like you do in V4. DNS and backend systems are going to become more and more critical to the ISPs who are providing V6. Also, IMHO, more and more managed routers are going to be deployed as folks go to V6. Those who support customer owned routers will be overwhelmed if they follow the same philosophy with V6 routers. Full IPv6 support is severely lacking in many manufacturers. So, now you have semi-compliant devices out there with buggy software doing weird things. This becomes a troubleshooting nightmare for folks. To combat this I think we will see those deploying V6 sending out a “modem” or managed router that is the endpoint. Right now, if you are running your CPE in router mode (which I encourage) your options for V6 support are very limited. Mikrotik will do this. UBNT won’t. Cambium won’t. The false sense of security folks have fallen into is Nat is just security by obscurity. It’s not really security. For the typical home user it’s on the borderline of good enough. As folks move away from nat to V6 you will also see performance increases on higher bandwidth circuits. Nat causes a performance hit. The router has to keep track of translation tables and the like. V6 still travels over port 80, 110,etc. You simply need a firewall that understands V6 and away you go. This is where IP management software can help you. Some of them out there can export to DNS, can create iptables rules, etc. With V6 the goal is to have more things automated on the backend. Justin --- Justin Wilson <[email protected]> http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On Jul 1, 2015, at 11:38 AM, That One Guy /sarcasm <[email protected]> wrote: I guess Im stuck in the limited space mindset with NAT but many of our clients have multiple mail serverish devices on their networks that all need to present as the same IP to meet reverse DNS and spf I dont now whether my mindest on that is efficient or lazy We have alot of firewall access policies on our clients that limit access to only coming from our office firewall, nothing else, I suppose we could add all our workstations to that policy, or a subnet ( I assume ip6 has subnets) On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewart <[email protected]> wrote: One other comment around "haven't had a security issue yet". I used to get the same argument from a former co-worker and my question was always "how do you know you haven't had a security issue?". It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows server had been pawned and they didn't believe me at first - then I showed that for the previous 3 years someone had full access remotely to that server and had been gathering data from it on regular basis. This server was behind two layers of firewalls, host IDS, network IDS, anti-spyware, and anti-virus. Pretty extreme example but have seen it happen more than once... -----Original Message----- From: Af [mailto:[email protected]] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 11:16 AM To: [email protected] Subject: Re: [AFMUG] private ipv4 sale / leases Maybe I need to study a bit more, but I run MT, haven't had a security issue yet. I've got a firewall configured on the MT. The only way I see into my network is owning one of my routers, though you guys may educate me. We've had plenty of attempts. The only thing that has successfully shut us down so far was the DNS DDoS attack saturating our fiber. I know nothing is 100% secure, but not having my personal network directly on the Internet certainly seems better to me. ----- Original Message ----- From: "Ken Hohhof" <[email protected]> To: <[email protected]> Sent: Wednesday, July 01, 2015 10:09 AM Subject: Re: [AFMUG] private ipv4 sale / leases > > NAT is not security through obscurity, unless you're referring to 1:1 NAT > which is not what most people mean when they say NAT. > > Setting up NAT in a Mikrotik illuminates the situation. In order for NAT > (actually overloaded dynamic NAT/PAT) to work, you must turn on connection > tracking, allow incoming established and related, and block all other > inbound traffic unless port forwarding is set up via dstnat. > > In other words, a stateful firewall. > > Now if you're talking about advanced firewall functions like > detecting/blocking/reporting intrusion attempts, yeah that's great, but > it's beyond what 99.99% of people implement in their firewall. > > > > -----Original Message----- > From: Paul Stewart > Sent: Wednesday, July 01, 2015 9:52 AM > To: [email protected] > Subject: Re: [AFMUG] private ipv4 sale / leases > > I'm not sure your argument is really valid.. NAT is "security through > obscurity" which translates to "zero additional security" also known as > "false security" > > IPv6 behind a stateful firewall is just as secure - some folks would argue > it's more secure but that argument would take several paragraphs to get > into ;) > > -----Original Message----- > From: Af [mailto:[email protected]] On Behalf Of Glen Waldrop > Sent: Wednesday, July 1, 2015 10:01 AM > To: [email protected] > Subject: Re: [AFMUG] private ipv4 sale / leases > > Yeah, but the great thing about NAT is that my network isn't public. > > That is my primary argument with IPv6. > > > > ----- Original Message ----- > From: "Chuck McCown" <[email protected]> > To: <[email protected]> > Sent: Wednesday, July 01, 2015 8:28 AM > Subject: Re: [AFMUG] private ipv4 sale / leases > > >> >> You could use a single IPv6 to say, Mars. >> >> And everyone on Mars could have their own static IP that uses the first >> 64 >> to get to Mars and the second 64 to get to all the subscribers. Assuming >> routers exist that would do this. >> >> -----Original Message----- >> From: Matt >> Sent: Wednesday, July 01, 2015 7:22 AM >> To: [email protected] >> Subject: Re: [AFMUG] private ipv4 sale / leases >> >>> Just saying that NAT is not needed. Every single IP gives you so much >>> address space that you will never be able to use it. >>> >>> Essentially a number of globally routable set of static IPs come with >>> every IP such that one single IP could probably run the whole planet >>> right now. >> >> You mean every /64 which is minimum customer assignment in most >> respects does. A single IPv6 IP is still just a single IP. >> > > > > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
