On 6/1/15 10:12 PM, Mark Andrews wrote:
In message <556d35df.8080...@matthew.at>, Matthew Kaufman writes:
On 6/1/2015 6:32 PM, Mark Andrews wrote:
In message <CAL9jLaaQUP1UzoKag3Kuq8a5bMcB2q6Yg=B_=1fFWxRN6K-bNA@mail.gmail.
com
, Christopher Morrow writes:
On Mon, Jun 1, 2015 at 9:02 PM, Ca By <cb.li...@gmail.com> wrote:
On Monday, June 1, 2015, Mark Andrews <ma...@isc.org> wrote:
In message
<CAL9jLaYXCdfViHbUPx-=rs4vsx5mfecpfue8b7vq+au2hcx...@mail.gmail.com>
, Christopher Morrow writes:
So... I don't really see any of the above arguments for v6 in a vm
setup to really hold water in the short term at least. I think for
sure you'll want v6 for public services 'soon' (arguably like 10 yrs
ago so you'd get practice and operational experience and ...) but for
the rest sure it's 'nice', and 'cute', but really not required for
operations (unless you have v6 only customers)
Everyone has effectively IPv6-only customers today. IPv6 native +
CGN only works for services. Similarly DS-Lite and 464XLAT.
ok, and for the example of 'put my service in the cloud' ... the
service is still accessible over ipv4 right?
It depends on what you are trying to do. Having something in the
cloud manage something at home. You can't reach the home over IPv4
more and more these days as. IPv6 is the escape path for that but
you need both ends to be able to speak IPv6.
...and for firewalls to not exist. Since they do, absolutely all the
techniques required to "reach something at home" over IPv4 are required
for IPv6. This is on the "great myths of the advantages of IPv6" list.
For IPv4 you port forward in the NAT possibly doing port translation
as will as address translation.
Takes about 30 seconds in the web interface of your CPE.
For IPv6 you open the port inbound in the firewall or just move the
firewalling to the host.
Takes about 30 seconds in the web interface of your CPE.
IPv6 is easier. With modern machines you really can get rid of the
firewall in front of the machine.
For the good of the botnet operators, I encourage doing this.
I can't run my laser printer without a firewall in front of it, and I
can't even guess how secure the controller in the septic system pump box
might be... so I don't risk it. And I *know* that some of the webcams I
have are vulnerable and have no updates available.
Lots of the equipement that
connects to the home nets spends plenty of time fully exposed to
the Internet w/o a firewall.
I don't believe that's accurate.
If it does that why does it need a
firewall at home?
There is a myth that you need a firewall at home.
Perpetuated by all the actual cases of poorly designed operating systems
and embedded systems getting attacked and making the news as a result
(http://www.insecam.org/ among others)
IPv6 has exactly one benefit... there's more addresses. It comes with a
whole lot of new pain points, and probably a bunch of security nightmare
still waiting to be discovered. And it for sure isn't free.
It also remove a whole lot of complications. Simplifies the security
profile.
If you think that the NDP DOS exposure is a "simplification" of
security, then I'd love to hear more about the benefits of IPv6.
Matthew Kaufman
