Re: [AFMUG] private ipv4 sale / leases
I correlate the NAT security to a daughters bedroom. Most fathers dont have an exterior door on their daughters bedroom You dont just walk directly in, sure somebody can put a ladder to her window (port forward) but by defaul there is a slight measure of security because you have to come in the house door and traverse your way to her bedroom Now, its always best to have a firewall (you put the daughters bedroom at the end of the hall past dads room) Then to be super secure, you put in a Smith and Wesson IDS On Wed, Jul 1, 2015 at 11:25 AM, Justin Wilson - MTIN li...@mtin.net wrote: Very Correct Glen. Nat is not secure. It’s like blending your door into the rest of your house. The door is still there just a little harder to find. But if there are no locks it’s still an unlocked door. Justin --- Justin Wilson j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On Jul 1, 2015, at 12:21 PM, Glen Waldrop gwl...@cngwireless.net wrote: I think we're having two different conversations here. I'm using NAT with a firewall. I don't think anyone is saying NAT by itself is secure. - Original Message - *From:* Justin Wilson - MTIN li...@mtin.net *To:* af@afmug.com *Sent:* Wednesday, July 01, 2015 11:01 AM *Subject:* Re: [AFMUG] private ipv4 sale / leases IPV6 is very DNS orientated. There is no way you are going to remember ip addresses like you do in V4. DNS and backend systems are going to become more and more critical to the ISPs who are providing V6. Also, IMHO, more and more managed routers are going to be deployed as folks go to V6. Those who support customer owned routers will be overwhelmed if they follow the same philosophy with V6 routers. Full IPv6 support is severely lacking in many manufacturers. So, now you have semi-compliant devices out there with buggy software doing weird things. This becomes a troubleshooting nightmare for folks.To combat this I think we will see those deploying V6 sending out a “modem” or managed router that is the endpoint. Right now, if you are running your CPE in router mode (which I encourage) your options for V6 support are very limited. Mikrotik will do this. UBNT won’t. Cambium won’t. The false sense of security folks have fallen into is Nat is just security by obscurity. It’s not really security. For the typical home user it’s on the borderline of good enough. As folks move away from nat to V6 you will also see performance increases on higher bandwidth circuits. Nat causes a performance hit. The router has to keep track of translation tables and the like. V6 still travels over port 80, 110,etc. You simply need a firewall that understands V6 and away you go. This is where IP management software can help you. Some of them out there can export to DNS, can create iptables rules, etc. With V6 the goal is to have more things automated on the backend. Justin --- Justin Wilson j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On Jul 1, 2015, at 11:38 AM, That One Guy /sarcasm thatoneguyst...@gmail.com wrote: I guess Im stuck in the limited space mindset with NAT but many of our clients have multiple mail serverish devices on their networks that all need to present as the same IP to meet reverse DNS and spf I dont now whether my mindest on that is efficient or lazy We have alot of firewall access policies on our clients that limit access to only coming from our office firewall, nothing else, I suppose we could add all our workstations to that policy, or a subnet ( I assume ip6 has subnets) On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewart p...@paulstewart.org wrote: One other comment around haven't had a security issue yet. I used to get the same argument from a former co-worker and my question was always how do you know you haven't had a security issue?. It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows server had been pawned and they didn't believe me at first - then I showed that for the previous 3 years someone had full access remotely to that server and had been gathering data from it on regular basis. This server was behind two layers of firewalls, host IDS, network IDS, anti-spyware, and anti-virus. Pretty extreme example but have seen it happen more than once... -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 11:16 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Maybe I need to study a bit
Re: [AFMUG] private ipv4 sale / leases
Agreed. Awesome. - Original Message - From: Tyler Treat To: af@afmug.com Sent: Wednesday, July 01, 2015 12:32 PM Subject: Re: [AFMUG] private ipv4 sale / leases I love this. It should be published in the book of Steveisms. ___ Mangled by my iPhone. ___ Tyler Treat tyler.tr...@cornbelttech.com ___ On Jul 1, 2015, at 12:26 PM, That One Guy /sarcasm thatoneguyst...@gmail.com wrote: I correlate the NAT security to a daughters bedroom. Most fathers dont have an exterior door on their daughters bedroom You dont just walk directly in, sure somebody can put a ladder to her window (port forward) but by defaul there is a slight measure of security because you have to come in the house door and traverse your way to her bedroom Now, its always best to have a firewall (you put the daughters bedroom at the end of the hall past dads room) Then to be super secure, you put in a Smith and Wesson IDS On Wed, Jul 1, 2015 at 11:25 AM, Justin Wilson - MTIN li...@mtin.net wrote: Very Correct Glen. Nat is not secure. It’s like blending your door into the rest of your house. The door is still there just a little harder to find. But if there are no locks it’s still an unlocked door. Justin --- Justin Wilson j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On Jul 1, 2015, at 12:21 PM, Glen Waldrop gwl...@cngwireless.net wrote: I think we're having two different conversations here. I'm using NAT with a firewall. I don't think anyone is saying NAT by itself is secure. - Original Message - From: Justin Wilson - MTIN To: af@afmug.com Sent: Wednesday, July 01, 2015 11:01 AM Subject: Re: [AFMUG] private ipv4 sale / leases IPV6 is very DNS orientated. There is no way you are going to remember ip addresses like you do in V4. DNS and backend systems are going to become more and more critical to the ISPs who are providing V6. Also, IMHO, more and more managed routers are going to be deployed as folks go to V6. Those who support customer owned routers will be overwhelmed if they follow the same philosophy with V6 routers. Full IPv6 support is severely lacking in many manufacturers. So, now you have semi-compliant devices out there with buggy software doing weird things. This becomes a troubleshooting nightmare for folks.To combat this I think we will see those deploying V6 sending out a “modem” or managed router that is the endpoint. Right now, if you are running your CPE in router mode (which I encourage) your options for V6 support are very limited. Mikrotik will do this. UBNT won’t. Cambium won’t. The false sense of security folks have fallen into is Nat is just security by obscurity. It’s not really security. For the typical home user it’s on the borderline of good enough. As folks move away from nat to V6 you will also see performance increases on higher bandwidth circuits. Nat causes a performance hit. The router has to keep track of translation tables and the like. V6 still travels over port 80, 110,etc. You simply need a firewall that understands V6 and away you go. This is where IP management software can help you. Some of them out there can export to DNS, can create iptables rules, etc. With V6 the goal is to have more things automated on the backend. Justin --- Justin Wilson j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On Jul 1, 2015, at 11:38 AM, That One Guy /sarcasm thatoneguyst...@gmail.com wrote: I guess Im stuck in the limited space mindset with NAT but many of our clients have multiple mail serverish devices on their networks that all need to present as the same IP to meet reverse DNS and spf I dont now whether my mindest on that is efficient or lazy We have alot of firewall access policies on our clients that limit access to only coming from our office firewall, nothing else, I suppose we could add all our workstations to that policy, or a subnet ( I assume ip6 has subnets) On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewart p...@paulstewart.org wrote: One other comment around haven't had a security issue yet. I used to get the same argument from a former co-worker and my question was always how do you know you haven't had a security issue?. It seems like
Re: [AFMUG] private ipv4 sale / leases
Almost...There's not much left... https://www.arin.net/resources/request/ipv4_countdown.html Regards, Chuck On Wed, Jul 1, 2015 at 3:24 AM, That One Guy /sarcasm thatoneguyst...@gmail.com wrote: So how does this work? The boss dicked me on prior request. Will arin start enforcing allocations and recover the pirate space? I just got a /24 from our upstream but that's going away in the near term when they do some magic, I freed most of our /22 to reallocate appropriately for a request, with a lot of Nat. Is Xerox going to have to give up their bazillion before they tank me on our space? Does ip6 even NAT bro? On Jun 30, 2015 11:17 PM, TJ Trout t...@voltbb.com wrote: well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
Re: [AFMUG] private ipv4 sale / leases
Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. From: Mike Hammett Sent: Wednesday, July 01, 2015 7:09 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Why would you, though? The standard allocation is more than enough for just about anyone. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 1, 2015 8:07:13 AM Subject: Re: [AFMUG] private ipv4 sale / leases If you did it right, you could run your whole company off of one single ipv6 address. (Unless you have more than 281,474,976,710,656 customers). From: Mike Hammett Sent: Wednesday, July 01, 2015 7:00 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Check out the presentation ARIN gave at the last NANOG. They talked about the steps they'll be going through to recover allocations, but it's not expected to be anything significant or timely. Why would you NAT IPv6? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com From: That One Guy /sarcasm thatoneguyst...@gmail.com To: af@afmug.com Sent: Wednesday, July 1, 2015 2:24:41 AM Subject: Re: [AFMUG] private ipv4 sale / leases So how does this work? The boss dicked me on prior request. Will arin start enforcing allocations and recover the pirate space? I just got a /24 from our upstream but that's going away in the near term when they do some magic, I freed most of our /22 to reallocate appropriately for a request, with a lot of Nat. Is Xerox going to have to give up their bazillion before they tank me on our space? Does ip6 even NAT bro? On Jun 30, 2015 11:17 PM, TJ Trout t...@voltbb.com wrote: well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
Re: [AFMUG] private ipv4 sale / leases
Moderately. I've got firewall rules as mentioned. I just like the non-routable address. The fact that my PC's aren't public does make me feel a little better. Every service I have a port forward for has a log full of hack attempts. - Original Message - From: Josh Luthman To: af@afmug.com Sent: Wednesday, July 01, 2015 9:05 AM Subject: Re: [AFMUG] private ipv4 sale / leases What's the argument? Are you suggesting that NAT is in any way secure? Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Wed, Jul 1, 2015 at 10:00 AM, Glen Waldrop gwl...@cngwireless.net wrote: Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
REMAINING IPV4 INVENTORY Discrete Block Size (CIDR) Number of Blocks Available /23 59 /24 437 - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: Josh Luthman j...@imaginenetworksllc.com To: af@afmug.com Sent: Wednesday, July 1, 2015 7:57:16 AM Subject: Re: [AFMUG] private ipv4 sale / leases Iirc there were 34x /24 left when I last looked a couple weeks ago. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Jul 1, 2015 8:55 AM, Chuck Hogg ch...@shelbybb.com wrote: Almost...There's not much left... https://www.arin.net/resources/request/ipv4_countdown.html Regards, Chuck On Wed, Jul 1, 2015 at 3:24 AM, That One Guy /sarcasm thatoneguyst...@gmail.com wrote: blockquote So how does this work? The boss dicked me on prior request. Will arin start enforcing allocations and recover the pirate space? I just got a /24 from our upstream but that's going away in the near term when they do some magic, I freed most of our /22 to reallocate appropriately for a request, with a lot of Nat. Is Xerox going to have to give up their bazillion before they tank me on our space? Does ip6 even NAT bro? On Jun 30, 2015 11:17 PM, TJ Trout t...@voltbb.com wrote: well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol /blockquote
Re: [AFMUG] private ipv4 sale / leases
Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
YeahI think it's officially against ARIN's rules, but I have always assumed that those guys with /8's would start selling or leasing /24's. On 7/1/2015 9:57 AM, Glen Waldrop wrote: /dons sunglasses, trenchcoat and hat Hey man, wanna buy some IPv4? - Original Message - *From:* TJ Trout mailto:t...@voltbb.com *To:* af@afmug.com mailto:af@afmug.com *Sent:* Tuesday, June 30, 2015 11:17 PM *Subject:* [AFMUG] private ipv4 sale / leases well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
Re: [AFMUG] private ipv4 sale / leases
What's the argument? Are you suggesting that NAT is in any way secure? Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Wed, Jul 1, 2015 at 10:00 AM, Glen Waldrop gwl...@cngwireless.net wrote: Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
If you did it right, you could run your whole company off of one single ipv6 address. (Unless you have more than 281,474,976,710,656 customers). From: Mike Hammett Sent: Wednesday, July 01, 2015 7:00 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Check out the presentation ARIN gave at the last NANOG. They talked about the steps they'll be going through to recover allocations, but it's not expected to be anything significant or timely. Why would you NAT IPv6? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com From: That One Guy /sarcasm thatoneguyst...@gmail.com To: af@afmug.com Sent: Wednesday, July 1, 2015 2:24:41 AM Subject: Re: [AFMUG] private ipv4 sale / leases So how does this work? The boss dicked me on prior request. Will arin start enforcing allocations and recover the pirate space? I just got a /24 from our upstream but that's going away in the near term when they do some magic, I freed most of our /22 to reallocate appropriately for a request, with a lot of Nat. Is Xerox going to have to give up their bazillion before they tank me on our space? Does ip6 even NAT bro? On Jun 30, 2015 11:17 PM, TJ Trout t...@voltbb.com wrote: well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
Re: [AFMUG] private ipv4 sale / leases
Check out the presentation ARIN gave at the last NANOG. They talked about the steps they'll be going through to recover allocations, but it's not expected to be anything significant or timely. Why would you NAT IPv6? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: That One Guy /sarcasm thatoneguyst...@gmail.com To: af@afmug.com Sent: Wednesday, July 1, 2015 2:24:41 AM Subject: Re: [AFMUG] private ipv4 sale / leases So how does this work? The boss dicked me on prior request. Will arin start enforcing allocations and recover the pirate space? I just got a /24 from our upstream but that's going away in the near term when they do some magic, I freed most of our /22 to reallocate appropriately for a request, with a lot of Nat. Is Xerox going to have to give up their bazillion before they tank me on our space? Does ip6 even NAT bro? On Jun 30, 2015 11:17 PM, TJ Trout t...@voltbb.com wrote: well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
Re: [AFMUG] private ipv4 sale / leases
Why would you, though? The standard allocation is more than enough for just about anyone. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 1, 2015 8:07:13 AM Subject: Re: [AFMUG] private ipv4 sale / leases If you did it right, you could run your whole company off of one single ipv6 address. (Unless you have more than 281,474,976,710,656 customers). From: Mike Hammett Sent: Wednesday, July 01, 2015 7:00 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Check out the presentation ARIN gave at the last NANOG. They talked about the steps they'll be going through to recover allocations, but it's not expected to be anything significant or timely. Why would you NAT IPv6? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: That One Guy /sarcasm thatoneguyst...@gmail.com To: af@afmug.com Sent: Wednesday, July 1, 2015 2:24:41 AM Subject: Re: [AFMUG] private ipv4 sale / leases So how does this work? The boss dicked me on prior request. Will arin start enforcing allocations and recover the pirate space? I just got a /24 from our upstream but that's going away in the near term when they do some magic, I freed most of our /22 to reallocate appropriately for a request, with a lot of Nat. Is Xerox going to have to give up their bazillion before they tank me on our space? Does ip6 even NAT bro? On Jun 30, 2015 11:17 PM, TJ Trout t...@voltbb.com wrote: well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
Re: [AFMUG] private ipv4 sale / leases
/dons sunglasses, trenchcoat and hat Hey man, wanna buy some IPv4? - Original Message - From: TJ Trout To: af@afmug.com Sent: Tuesday, June 30, 2015 11:17 PM Subject: [AFMUG] private ipv4 sale / leases well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
Re: [AFMUG] private ipv4 sale / leases
True, but it also becomes true by adding a single firewall rule that drops new incoming connections. On 7/1/2015 10:00 AM, Glen Waldrop wrote: Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
Iirc there were 34x /24 left when I last looked a couple weeks ago. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Jul 1, 2015 8:55 AM, Chuck Hogg ch...@shelbybb.com wrote: Almost...There's not much left... https://www.arin.net/resources/request/ipv4_countdown.html Regards, Chuck On Wed, Jul 1, 2015 at 3:24 AM, That One Guy /sarcasm thatoneguyst...@gmail.com wrote: So how does this work? The boss dicked me on prior request. Will arin start enforcing allocations and recover the pirate space? I just got a /24 from our upstream but that's going away in the near term when they do some magic, I freed most of our /22 to reallocate appropriately for a request, with a lot of Nat. Is Xerox going to have to give up their bazillion before they tank me on our space? Does ip6 even NAT bro? On Jun 30, 2015 11:17 PM, TJ Trout t...@voltbb.com wrote: well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
Re: [AFMUG] private ipv4 sale / leases
ARIN activated the IPv4 Unmet Request policy (NRPM 4.1.8) this week with the approval of an address request that was larger than the available inventory in the regional IPv4 free pool. Full details about this process are available at: https://www.arin.net/resources/request/waiting_list.html ARIN does still have limited amounts of IPv4 address space available in smaller block sizes. We encourage customers to monitor the IPv4 Inventory Counter on the ARIN homepage and the breakdown of the remaining IPv4 inventory found on our IPv4 Depletion page: https://www.arin.net/resources/request/ipv4_countdown.html Organizations that need larger amounts of address space are encouraged to make use of the IPv4 transfer market for those needs. ARIN also reminds organizations of the ample availability of IPv6 address space, and encourages organizations to evaluate IPv6 address space for their ongoing public Internet network activities. Please contact hostmas...@arin.net or our Help Desk +1.703.227.0660 if you have questions about IPv4 availability. We also host a recurring blog on IPv4 depletion status on the Team ARIN website to keep the community informed about the status of the ARIN IPv4 free pool: http://teamarin.net/category/ipv4-depletion Regards, John Curran President CEO American Registry for Internet Numbers (ARIN) ___ ARIN-Announce You are receiving this message because you are subscribed to the ARIN Announce Mailing List (arin-annou...@arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/arin-announce Please contact i...@arin.net if you experience any issues. From: Paul Stewart Sent: Wednesday, July 01, 2015 9:55 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Virtually nothing left that is useful … hoping that people start to take IPv6 more seriously – your business (referring to the masses) may someday depend on it .. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Luthman Sent: Wednesday, July 1, 2015 9:08 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Way off!!! Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Jul 1, 2015 8:59 AM, Mike Hammett af...@ics-il.net wrote: REMAINING IPV4 INVENTORY Discrete Block Size (CIDR) Number of Blocks Available /23 59 /24 437 - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com -- From: Josh Luthman j...@imaginenetworksllc.com To: af@afmug.com Sent: Wednesday, July 1, 2015 7:57:16 AM Subject: Re: [AFMUG] private ipv4 sale / leases Iirc there were 34x /24 left when I last looked a couple weeks ago. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Jul 1, 2015 8:55 AM, Chuck Hogg ch...@shelbybb.com wrote: Almost...There's not much left... https://www.arin.net/resources/request/ipv4_countdown.html Regards, Chuck On Wed, Jul 1, 2015 at 3:24 AM, That One Guy /sarcasm thatoneguyst...@gmail.com wrote: So how does this work? The boss dicked me on prior request. Will arin start enforcing allocations and recover the pirate space? I just got a /24 from our upstream but that's going away in the near term when they do some magic, I freed most of our /22 to reallocate appropriately for a request, with a lot of Nat. Is Xerox going to have to give up their bazillion before they tank me on our space? Does ip6 even NAT bro? On Jun 30, 2015 11:17 PM, TJ Trout t...@voltbb.com wrote: well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
Re: [AFMUG] private ipv4 sale / leases
Maybe I need to study a bit more, but I run MT, haven't had a security issue yet. I've got a firewall configured on the MT. The only way I see into my network is owning one of my routers, though you guys may educate me. We've had plenty of attempts. The only thing that has successfully shut us down so far was the DNS DDoS attack saturating our fiber. I know nothing is 100% secure, but not having my personal network directly on the Internet certainly seems better to me. - Original Message - From: Ken Hohhof af...@kwisp.com To: af@afmug.com Sent: Wednesday, July 01, 2015 10:09 AM Subject: Re: [AFMUG] private ipv4 sale / leases NAT is not security through obscurity, unless you're referring to 1:1 NAT which is not what most people mean when they say NAT. Setting up NAT in a Mikrotik illuminates the situation. In order for NAT (actually overloaded dynamic NAT/PAT) to work, you must turn on connection tracking, allow incoming established and related, and block all other inbound traffic unless port forwarding is set up via dstnat. In other words, a stateful firewall. Now if you're talking about advanced firewall functions like detecting/blocking/reporting intrusion attempts, yeah that's great, but it's beyond what 99.99% of people implement in their firewall. -Original Message- From: Paul Stewart Sent: Wednesday, July 01, 2015 9:52 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases I'm not sure your argument is really valid.. NAT is security through obscurity which translates to zero additional security also known as false security IPv6 behind a stateful firewall is just as secure - some folks would argue it's more secure but that argument would take several paragraphs to get into ;) -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 10:01 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
I forget what it's called, but there's a component of IPv6 where a computer *can* use a new IP address for each request to avoid tracking. Disposable IPs, though obviously the service provider knows the range they've allocated for legal purposes. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: Paul Stewart p...@paulstewart.org To: af@afmug.com Sent: Wednesday, July 1, 2015 9:52:23 AM Subject: Re: [AFMUG] private ipv4 sale / leases I'm not sure your argument is really valid.. NAT is security through obscurity which translates to zero additional security also known as false security IPv6 behind a stateful firewall is just as secure - some folks would argue it's more secure but that argument would take several paragraphs to get into ;) -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 10:01 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
Just to clarify, I'm agreeing with you. IPv6 on the other hand would be security through obscurity if you don't implement a firewall. Which I assume everyone would do. But we know what happens when you ass-u-me. -Original Message- From: Glen Waldrop Sent: Wednesday, July 01, 2015 10:15 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Maybe I need to study a bit more, but I run MT, haven't had a security issue yet. I've got a firewall configured on the MT. The only way I see into my network is owning one of my routers, though you guys may educate me. We've had plenty of attempts. The only thing that has successfully shut us down so far was the DNS DDoS attack saturating our fiber. I know nothing is 100% secure, but not having my personal network directly on the Internet certainly seems better to me. - Original Message - From: Ken Hohhof af...@kwisp.com To: af@afmug.com Sent: Wednesday, July 01, 2015 10:09 AM Subject: Re: [AFMUG] private ipv4 sale / leases NAT is not security through obscurity, unless you're referring to 1:1 NAT which is not what most people mean when they say NAT. Setting up NAT in a Mikrotik illuminates the situation. In order for NAT (actually overloaded dynamic NAT/PAT) to work, you must turn on connection tracking, allow incoming established and related, and block all other inbound traffic unless port forwarding is set up via dstnat. In other words, a stateful firewall. Now if you're talking about advanced firewall functions like detecting/blocking/reporting intrusion attempts, yeah that's great, but it's beyond what 99.99% of people implement in their firewall. -Original Message- From: Paul Stewart Sent: Wednesday, July 01, 2015 9:52 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases I'm not sure your argument is really valid.. NAT is security through obscurity which translates to zero additional security also known as false security IPv6 behind a stateful firewall is just as secure - some folks would argue it's more secure but that argument would take several paragraphs to get into ;) -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 10:01 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
Virtually nothing left that is useful … hoping that people start to take IPv6 more seriously – your business (referring to the masses) may someday depend on it .. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Luthman Sent: Wednesday, July 1, 2015 9:08 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Way off!!! Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Jul 1, 2015 8:59 AM, Mike Hammett af...@ics-il.net mailto:af...@ics-il.net wrote: REMAINING IPV4 INVENTORY Discrete Block Size (CIDR) Number of Blocks Available /23 59 /24 437 - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com https://www.facebook.com/ICSIL https://plus.google.com/+IntelligentComputingSolutionsDeKalb https://www.linkedin.com/company/intelligent-computing-solutions https://twitter.com/ICSIL Midwest Internet Exchange http://www.midwest-ix.com https://www.facebook.com/mdwestix https://www.linkedin.com/company/midwest-internet-exchange https://twitter.com/mdwestix _ From: Josh Luthman j...@imaginenetworksllc.com mailto:j...@imaginenetworksllc.com To: af@afmug.com mailto:af@afmug.com Sent: Wednesday, July 1, 2015 7:57:16 AM Subject: Re: [AFMUG] private ipv4 sale / leases Iirc there were 34x /24 left when I last looked a couple weeks ago. Josh Luthman Office: 937-552-2340 tel:937-552-2340 Direct: 937-552-2343 tel:937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Jul 1, 2015 8:55 AM, Chuck Hogg ch...@shelbybb.com mailto:ch...@shelbybb.com wrote: Almost...There's not much left... https://www.arin.net/resources/request/ipv4_countdown.html Regards, Chuck On Wed, Jul 1, 2015 at 3:24 AM, That One Guy /sarcasm thatoneguyst...@gmail.com mailto:thatoneguyst...@gmail.com wrote: So how does this work? The boss dicked me on prior request. Will arin start enforcing allocations and recover the pirate space? I just got a /24 from our upstream but that's going away in the near term when they do some magic, I freed most of our /22 to reallocate appropriately for a request, with a lot of Nat. Is Xerox going to have to give up their bazillion before they tank me on our space? Does ip6 even NAT bro? On Jun 30, 2015 11:17 PM, TJ Trout t...@voltbb.com mailto:t...@voltbb.com wrote: well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
Re: [AFMUG] private ipv4 sale / leases
For one I've got 5 PC's on this network that I use regularly, never had an issue. Secondly, whenever *anything* hinky is going on (here, there, QoS tweaking, etc) I torch the Ethernet connection to see what is going on and where it is being dropped. I forgot to mention earlier, we have had an issue with my Linux email server, security flaw, patched and now secured by the Mikrotik rather than it's own firewall. I see in my logs where people are attacking my network constantly. I'd much rather have 10-15 points to defend than hundreds. - Original Message - From: Paul Stewart p...@paulstewart.org To: af@afmug.com Sent: Wednesday, July 01, 2015 10:26 AM Subject: Re: [AFMUG] private ipv4 sale / leases One other comment around haven't had a security issue yet. I used to get the same argument from a former co-worker and my question was always how do you know you haven't had a security issue?. It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows server had been pawned and they didn't believe me at first - then I showed that for the previous 3 years someone had full access remotely to that server and had been gathering data from it on regular basis. This server was behind two layers of firewalls, host IDS, network IDS, anti-spyware, and anti-virus. Pretty extreme example but have seen it happen more than once... -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 11:16 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Maybe I need to study a bit more, but I run MT, haven't had a security issue yet. I've got a firewall configured on the MT. The only way I see into my network is owning one of my routers, though you guys may educate me. We've had plenty of attempts. The only thing that has successfully shut us down so far was the DNS DDoS attack saturating our fiber. I know nothing is 100% secure, but not having my personal network directly on the Internet certainly seems better to me. - Original Message - From: Ken Hohhof af...@kwisp.com To: af@afmug.com Sent: Wednesday, July 01, 2015 10:09 AM Subject: Re: [AFMUG] private ipv4 sale / leases NAT is not security through obscurity, unless you're referring to 1:1 NAT which is not what most people mean when they say NAT. Setting up NAT in a Mikrotik illuminates the situation. In order for NAT (actually overloaded dynamic NAT/PAT) to work, you must turn on connection tracking, allow incoming established and related, and block all other inbound traffic unless port forwarding is set up via dstnat. In other words, a stateful firewall. Now if you're talking about advanced firewall functions like detecting/blocking/reporting intrusion attempts, yeah that's great, but it's beyond what 99.99% of people implement in their firewall. -Original Message- From: Paul Stewart Sent: Wednesday, July 01, 2015 9:52 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases I'm not sure your argument is really valid.. NAT is security through obscurity which translates to zero additional security also known as false security IPv6 behind a stateful firewall is just as secure - some folks would argue it's more secure but that argument would take several paragraphs to get into ;) -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 10:01 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
IPV6 is very DNS orientated. There is no way you are going to remember ip addresses like you do in V4. DNS and backend systems are going to become more and more critical to the ISPs who are providing V6. Also, IMHO, more and more managed routers are going to be deployed as folks go to V6. Those who support customer owned routers will be overwhelmed if they follow the same philosophy with V6 routers. Full IPv6 support is severely lacking in many manufacturers. So, now you have semi-compliant devices out there with buggy software doing weird things. This becomes a troubleshooting nightmare for folks.To combat this I think we will see those deploying V6 sending out a “modem” or managed router that is the endpoint. Right now, if you are running your CPE in router mode (which I encourage) your options for V6 support are very limited. Mikrotik will do this. UBNT won’t. Cambium won’t. The false sense of security folks have fallen into is Nat is just security by obscurity. It’s not really security. For the typical home user it’s on the borderline of good enough. As folks move away from nat to V6 you will also see performance increases on higher bandwidth circuits. Nat causes a performance hit. The router has to keep track of translation tables and the like. V6 still travels over port 80, 110,etc. You simply need a firewall that understands V6 and away you go. This is where IP management software can help you. Some of them out there can export to DNS, can create iptables rules, etc. With V6 the goal is to have more things automated on the backend. Justin --- Justin Wilson j...@mtin.net http://www.mtin.net http://www.mtin.net/ Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com http://www.thebrotherswisp.com/ Podcast about xISP topics http://www.midwest-ix.com http://www.midwest-ix.com/ Peering – Transit – Internet Exchange On Jul 1, 2015, at 11:38 AM, That One Guy /sarcasm thatoneguyst...@gmail.com wrote: I guess Im stuck in the limited space mindset with NAT but many of our clients have multiple mail serverish devices on their networks that all need to present as the same IP to meet reverse DNS and spf I dont now whether my mindest on that is efficient or lazy We have alot of firewall access policies on our clients that limit access to only coming from our office firewall, nothing else, I suppose we could add all our workstations to that policy, or a subnet ( I assume ip6 has subnets) On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewart p...@paulstewart.org mailto:p...@paulstewart.org wrote: One other comment around haven't had a security issue yet. I used to get the same argument from a former co-worker and my question was always how do you know you haven't had a security issue?. It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows server had been pawned and they didn't believe me at first - then I showed that for the previous 3 years someone had full access remotely to that server and had been gathering data from it on regular basis. This server was behind two layers of firewalls, host IDS, network IDS, anti-spyware, and anti-virus. Pretty extreme example but have seen it happen more than once... -Original Message- From: Af [mailto:af-boun...@afmug.com mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 11:16 AM To: af@afmug.com mailto:af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Maybe I need to study a bit more, but I run MT, haven't had a security issue yet. I've got a firewall configured on the MT. The only way I see into my network is owning one of my routers, though you guys may educate me. We've had plenty of attempts. The only thing that has successfully shut us down so far was the DNS DDoS attack saturating our fiber. I know nothing is 100% secure, but not having my personal network directly on the Internet certainly seems better to me. - Original Message - From: Ken Hohhof af...@kwisp.com mailto:af...@kwisp.com To: af@afmug.com mailto:af@afmug.com Sent: Wednesday, July 01, 2015 10:09 AM Subject: Re: [AFMUG] private ipv4 sale / leases NAT is not security through obscurity, unless you're referring to 1:1 NAT which is not what most people mean when they say NAT. Setting up NAT in a Mikrotik illuminates the situation. In order for NAT (actually overloaded dynamic NAT/PAT) to work, you must turn on connection tracking, allow incoming established and related, and block all other inbound traffic unless port forwarding is set up via dstnat. In other words, a stateful firewall. Now if you're talking about advanced firewall functions like detecting/blocking/reporting intrusion attempts, yeah that's great
Re: [AFMUG] private ipv4 sale / leases
NAT is not security through obscurity, unless you're referring to 1:1 NAT which is not what most people mean when they say NAT. Setting up NAT in a Mikrotik illuminates the situation. In order for NAT (actually overloaded dynamic NAT/PAT) to work, you must turn on connection tracking, allow incoming established and related, and block all other inbound traffic unless port forwarding is set up via dstnat. In other words, a stateful firewall. Now if you're talking about advanced firewall functions like detecting/blocking/reporting intrusion attempts, yeah that's great, but it's beyond what 99.99% of people implement in their firewall. -Original Message- From: Paul Stewart Sent: Wednesday, July 01, 2015 9:52 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases I'm not sure your argument is really valid.. NAT is security through obscurity which translates to zero additional security also known as false security IPv6 behind a stateful firewall is just as secure - some folks would argue it's more secure but that argument would take several paragraphs to get into ;) -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 10:01 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
Just think of the number of IP’s assigned to organizations, but not being used. Tyson Burris, President Internet Communications Inc. 739 Commerce Dr. Franklin, IN 46131 317-738-0320 Daytime # 317-412-1540 Cell/Direct # Online: www.surfici.net What can ICI do for you? Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP Security - Fiber - Tower - Infrastructure. CONFIDENTIALITY NOTICE: This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by unauthorized organizations or individuals is strictly prohibited. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett Sent: Wednesday, July 1, 2015 8:59 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases REMAINING IPV4 INVENTORY Discrete Block Size (CIDR) Number of Blocks Available /23 59 /24 437 - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com https://www.facebook.com/ICSIL https://plus.google.com/+IntelligentComputingSolutionsDeKalb https://www.linkedin.com/company/intelligent-computing-solutions https://twitter.com/ICSIL Midwest Internet Exchange http://www.midwest-ix.com https://www.facebook.com/mdwestix https://www.linkedin.com/company/midwest-internet-exchange https://twitter.com/mdwestix _ From: Josh Luthman j...@imaginenetworksllc.com To: af@afmug.com Sent: Wednesday, July 1, 2015 7:57:16 AM Subject: Re: [AFMUG] private ipv4 sale / leases Iirc there were 34x /24 left when I last looked a couple weeks ago. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Jul 1, 2015 8:55 AM, Chuck Hogg ch...@shelbybb.com mailto:ch...@shelbybb.com wrote: Almost...There's not much left... https://www.arin.net/resources/request/ipv4_countdown.html Regards, Chuck On Wed, Jul 1, 2015 at 3:24 AM, That One Guy /sarcasm thatoneguyst...@gmail.com mailto:thatoneguyst...@gmail.com wrote: So how does this work? The boss dicked me on prior request. Will arin start enforcing allocations and recover the pirate space? I just got a /24 from our upstream but that's going away in the near term when they do some magic, I freed most of our /22 to reallocate appropriately for a request, with a lot of Nat. Is Xerox going to have to give up their bazillion before they tank me on our space? Does ip6 even NAT bro? On Jun 30, 2015 11:17 PM, TJ Trout t...@voltbb.com mailto:t...@voltbb.com wrote: well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
Re: [AFMUG] private ipv4 sale / leases
One other comment around haven't had a security issue yet. I used to get the same argument from a former co-worker and my question was always how do you know you haven't had a security issue?. It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows server had been pawned and they didn't believe me at first - then I showed that for the previous 3 years someone had full access remotely to that server and had been gathering data from it on regular basis. This server was behind two layers of firewalls, host IDS, network IDS, anti-spyware, and anti-virus. Pretty extreme example but have seen it happen more than once... -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 11:16 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Maybe I need to study a bit more, but I run MT, haven't had a security issue yet. I've got a firewall configured on the MT. The only way I see into my network is owning one of my routers, though you guys may educate me. We've had plenty of attempts. The only thing that has successfully shut us down so far was the DNS DDoS attack saturating our fiber. I know nothing is 100% secure, but not having my personal network directly on the Internet certainly seems better to me. - Original Message - From: Ken Hohhof af...@kwisp.com To: af@afmug.com Sent: Wednesday, July 01, 2015 10:09 AM Subject: Re: [AFMUG] private ipv4 sale / leases NAT is not security through obscurity, unless you're referring to 1:1 NAT which is not what most people mean when they say NAT. Setting up NAT in a Mikrotik illuminates the situation. In order for NAT (actually overloaded dynamic NAT/PAT) to work, you must turn on connection tracking, allow incoming established and related, and block all other inbound traffic unless port forwarding is set up via dstnat. In other words, a stateful firewall. Now if you're talking about advanced firewall functions like detecting/blocking/reporting intrusion attempts, yeah that's great, but it's beyond what 99.99% of people implement in their firewall. -Original Message- From: Paul Stewart Sent: Wednesday, July 01, 2015 9:52 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases I'm not sure your argument is really valid.. NAT is security through obscurity which translates to zero additional security also known as false security IPv6 behind a stateful firewall is just as secure - some folks would argue it's more secure but that argument would take several paragraphs to get into ;) -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 10:01 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
I'm not sure your argument is really valid.. NAT is security through obscurity which translates to zero additional security also known as false security IPv6 behind a stateful firewall is just as secure - some folks would argue it's more secure but that argument would take several paragraphs to get into ;) -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 10:01 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
Doing an ifconfig on a Mac and you’ll see a lot of “temporary” IPv6 addresses. These are used for outbound connections on a temporary basis and get phased out routinely and replaced with new temporary IPv6 addresses for new outbound connections. I currently show 8 temporary IPv6 IPs. How Windows handles the temporary issues I can’t remember. The main IP for inbound connections still exists and is persistent on reboot, but how many bots are going to scan all 18 quintillion IPv6 addresses in my one /64 alone for open ports? On Jul 1, 2015, at 9:21 AM, Mike Hammett af...@ics-il.net wrote: I forget what it's called, but there's a component of IPv6 where a computer *can* use a new IP address for each request to avoid tracking. Disposable IPs, though obviously the service provider knows the range they've allocated for legal purposes. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com http://www.ics-il.com/ https://www.facebook.com/ICSIL https://plus.google.com/+IntelligentComputingSolutionsDeKalb https://www.linkedin.com/company/intelligent-computing-solutions https://twitter.com/ICSIL Midwest Internet Exchange http://www.midwest-ix.com http://www.midwest-ix.com/ https://www.facebook.com/mdwestix https://www.linkedin.com/company/midwest-internet-exchange https://twitter.com/mdwestix From: Paul Stewart p...@paulstewart.org mailto:p...@paulstewart.org To: af@afmug.com mailto:af@afmug.com Sent: Wednesday, July 1, 2015 9:52:23 AM Subject: Re: [AFMUG] private ipv4 sale / leases I'm not sure your argument is really valid.. NAT is security through obscurity which translates to zero additional security also known as false security IPv6 behind a stateful firewall is just as secure - some folks would argue it's more secure but that argument would take several paragraphs to get into ;) -Original Message- From: Af [mailto:af-boun...@afmug.com mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 10:01 AM To: af@afmug.com mailto:af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com mailto:ch...@wbmfg.com To: af@afmug.com mailto:af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com mailto:af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP.
Re: [AFMUG] private ipv4 sale / leases
I guess Im stuck in the limited space mindset with NAT but many of our clients have multiple mail serverish devices on their networks that all need to present as the same IP to meet reverse DNS and spf I dont now whether my mindest on that is efficient or lazy We have alot of firewall access policies on our clients that limit access to only coming from our office firewall, nothing else, I suppose we could add all our workstations to that policy, or a subnet ( I assume ip6 has subnets) On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewart p...@paulstewart.org wrote: One other comment around haven't had a security issue yet. I used to get the same argument from a former co-worker and my question was always how do you know you haven't had a security issue?. It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows server had been pawned and they didn't believe me at first - then I showed that for the previous 3 years someone had full access remotely to that server and had been gathering data from it on regular basis. This server was behind two layers of firewalls, host IDS, network IDS, anti-spyware, and anti-virus. Pretty extreme example but have seen it happen more than once... -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 11:16 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Maybe I need to study a bit more, but I run MT, haven't had a security issue yet. I've got a firewall configured on the MT. The only way I see into my network is owning one of my routers, though you guys may educate me. We've had plenty of attempts. The only thing that has successfully shut us down so far was the DNS DDoS attack saturating our fiber. I know nothing is 100% secure, but not having my personal network directly on the Internet certainly seems better to me. - Original Message - From: Ken Hohhof af...@kwisp.com To: af@afmug.com Sent: Wednesday, July 01, 2015 10:09 AM Subject: Re: [AFMUG] private ipv4 sale / leases NAT is not security through obscurity, unless you're referring to 1:1 NAT which is not what most people mean when they say NAT. Setting up NAT in a Mikrotik illuminates the situation. In order for NAT (actually overloaded dynamic NAT/PAT) to work, you must turn on connection tracking, allow incoming established and related, and block all other inbound traffic unless port forwarding is set up via dstnat. In other words, a stateful firewall. Now if you're talking about advanced firewall functions like detecting/blocking/reporting intrusion attempts, yeah that's great, but it's beyond what 99.99% of people implement in their firewall. -Original Message- From: Paul Stewart Sent: Wednesday, July 01, 2015 9:52 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases I'm not sure your argument is really valid.. NAT is security through obscurity which translates to zero additional security also known as false security IPv6 behind a stateful firewall is just as secure - some folks would argue it's more secure but that argument would take several paragraphs to get into ;) -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 10:01 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Yeah, but the great thing about NAT is that my network isn't public. That is my primary argument with IPv6. - Original Message - From: Chuck McCown ch...@wbmfg.com To: af@afmug.com Sent: Wednesday, July 01, 2015 8:28 AM Subject: Re: [AFMUG] private ipv4 sale / leases You could use a single IPv6 to say, Mars. And everyone on Mars could have their own static IP that uses the first 64 to get to Mars and the second 64 to get to all the subscribers. Assuming routers exist that would do this. -Original Message- From: Matt Sent: Wednesday, July 01, 2015 7:22 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Just saying that NAT is not needed. Every single IP gives you so much address space that you will never be able to use it. Essentially a number of globally routable set of static IPs come with every IP such that one single IP could probably run the whole planet right now. You mean every /64 which is minimum customer assignment in most respects does. A single IPv6 IP is still just a single IP. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
Re: [AFMUG] private ipv4 sale / leases
and bars on the windows? bp part15sbs{at}gmail{dot}com On 7/1/2015 10:26 AM, That One Guy /sarcasm wrote: I correlate the NAT security to a daughters bedroom. Most fathers dont have an exterior door on their daughters bedroom You dont just walk directly in, sure somebody can put a ladder to her window (port forward) but by defaul there is a slight measure of security because you have to come in the house door and traverse your way to her bedroom Now, its always best to have a firewall (you put the daughters bedroom at the end of the hall past dads room) Then to be super secure, you put in a Smith and Wesson IDS On Wed, Jul 1, 2015 at 11:25 AM, Justin Wilson - MTIN li...@mtin.net mailto:li...@mtin.net wrote: Very Correct Glen. Nat is not secure. It’s like blending your door into the rest of your house. The door is still there just a little harder to find. But if there are no locks it’s still an unlocked door. Justin --- Justin Wilson j...@mtin.net mailto:j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On Jul 1, 2015, at 12:21 PM, Glen Waldrop gwl...@cngwireless.net mailto:gwl...@cngwireless.net wrote: I think we're having two different conversations here. I'm using NAT with a firewall. I don't think anyone is saying NAT by itself is secure. - Original Message - *From:*Justin Wilson - MTIN mailto:li...@mtin.net *To:*af@afmug.com mailto:af@afmug.com *Sent:*Wednesday, July 01, 2015 11:01 AM *Subject:*Re: [AFMUG] private ipv4 sale / leases IPV6 is very DNS orientated. There is no way you are going to remember ip addresses like you do in V4. DNS and backend systems are going to become more and more critical to the ISPs who are providing V6. Also, IMHO, more and more managed routers are going to be deployed as folks go to V6. Those who support customer owned routers will be overwhelmed if they follow the same philosophy with V6 routers. Full IPv6 support is severely lacking in many manufacturers. So, now you have semi-compliant devices out there with buggy software doing weird things. This becomes a troubleshooting nightmare for folks.To combat this I think we will see those deploying V6 sending out a “modem” or managed router that is the endpoint. Right now, if you are running your CPE in router mode (which I encourage) your options for V6 support are very limited. Mikrotik will do this. UBNT won’t. Cambium won’t. The false sense of security folks have fallen into is Nat is just security by obscurity. It’s not really security. For the typical home user it’s on the borderline of good enough. As folks move away from nat to V6 you will also see performance increases on higher bandwidth circuits. Nat causes a performance hit. The router has to keep track of translation tables and the like. V6 still travels over port 80, 110,etc. You simply need a firewall that understands V6 and away you go. This is where IP management software can help you. Some of them out there can export to DNS, can create iptables rules, etc. With V6 the goal is to have more things automated on the backend. Justin --- Justin Wilson j...@mtin.net mailto:j...@mtin.net http://www.mtin.net http://www.mtin.net/ Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com http://www.thebrotherswisp.com/ Podcast about xISP topics http://www.midwest-ix.com http://www.midwest-ix.com/ Peering – Transit – Internet Exchange On Jul 1, 2015, at 11:38 AM, That One Guy /sarcasm thatoneguyst...@gmail.com mailto:thatoneguyst...@gmail.com wrote: I guess Im stuck in the limited space mindset with NAT but many of our clients have multiple mail serverish devices on their networks that all need to present as the same IP to meet reverse DNS and spf I dont now whether my mindest on that is efficient or lazy We have alot of firewall access policies on our clients that limit access to only coming from our office firewall, nothing else, I suppose we could add all our workstations to that policy, or a subnet ( I assume ip6 has subnets) On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewartp...@paulstewart.org mailto:p...@paulstewart.orgwrote: One other comment around haven't had a security issue yet. I used to get the same argument from a former co-worker and my question was always how do you know you haven't had a security issue?. It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows
Re: [AFMUG] private ipv4 sale / leases
I think we're having two different conversations here. I'm using NAT with a firewall. I don't think anyone is saying NAT by itself is secure. - Original Message - From: Justin Wilson - MTIN To: af@afmug.com Sent: Wednesday, July 01, 2015 11:01 AM Subject: Re: [AFMUG] private ipv4 sale / leases IPV6 is very DNS orientated. There is no way you are going to remember ip addresses like you do in V4. DNS and backend systems are going to become more and more critical to the ISPs who are providing V6. Also, IMHO, more and more managed routers are going to be deployed as folks go to V6. Those who support customer owned routers will be overwhelmed if they follow the same philosophy with V6 routers. Full IPv6 support is severely lacking in many manufacturers. So, now you have semi-compliant devices out there with buggy software doing weird things. This becomes a troubleshooting nightmare for folks.To combat this I think we will see those deploying V6 sending out a “modem” or managed router that is the endpoint. Right now, if you are running your CPE in router mode (which I encourage) your options for V6 support are very limited. Mikrotik will do this. UBNT won’t. Cambium won’t. The false sense of security folks have fallen into is Nat is just security by obscurity. It’s not really security. For the typical home user it’s on the borderline of good enough. As folks move away from nat to V6 you will also see performance increases on higher bandwidth circuits. Nat causes a performance hit. The router has to keep track of translation tables and the like. V6 still travels over port 80, 110,etc. You simply need a firewall that understands V6 and away you go. This is where IP management software can help you. Some of them out there can export to DNS, can create iptables rules, etc. With V6 the goal is to have more things automated on the backend. Justin --- Justin Wilson j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On Jul 1, 2015, at 11:38 AM, That One Guy /sarcasm thatoneguyst...@gmail.com wrote: I guess Im stuck in the limited space mindset with NAT but many of our clients have multiple mail serverish devices on their networks that all need to present as the same IP to meet reverse DNS and spf I dont now whether my mindest on that is efficient or lazy We have alot of firewall access policies on our clients that limit access to only coming from our office firewall, nothing else, I suppose we could add all our workstations to that policy, or a subnet ( I assume ip6 has subnets) On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewart p...@paulstewart.org wrote: One other comment around haven't had a security issue yet. I used to get the same argument from a former co-worker and my question was always how do you know you haven't had a security issue?. It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows server had been pawned and they didn't believe me at first - then I showed that for the previous 3 years someone had full access remotely to that server and had been gathering data from it on regular basis. This server was behind two layers of firewalls, host IDS, network IDS, anti-spyware, and anti-virus. Pretty extreme example but have seen it happen more than once... -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 11:16 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Maybe I need to study a bit more, but I run MT, haven't had a security issue yet. I've got a firewall configured on the MT. The only way I see into my network is owning one of my routers, though you guys may educate me. We've had plenty of attempts. The only thing that has successfully shut us down so far was the DNS DDoS attack saturating our fiber. I know nothing is 100% secure, but not having my personal network directly on the Internet certainly seems better to me. - Original Message - From: Ken Hohhof af...@kwisp.com To: af@afmug.com Sent: Wednesday, July 01, 2015 10:09 AM Subject: Re: [AFMUG] private ipv4 sale / leases NAT is not security through obscurity, unless you're referring to 1:1 NAT which is not what most people mean when they say NAT. Setting up NAT in a Mikrotik illuminates the situation. In order for NAT (actually overloaded dynamic NAT/PAT) to work, you must turn on connection tracking, allow incoming established and related, and block
Re: [AFMUG] private ipv4 sale / leases
In order for networks to grow they will need to have the ability to push public IPs to the customer. I totally see a point where every device on a customer’s lan needs to have a public IP address. We are already seeing the trend toward this. Home security systems, IP enabled appliances, multiple Netflix boxes, and all these devices which communicate somewhere. So far, ISPs have been able to deal with this because the developers recognize this is the way things are. Anyone who has received the call “my Xbox says restricted nat” has experienced this. We all know you can do port forwarding in routers, etc. But as the household becomes more and more dynamic people are going to want to deal with the hassle of this. They just want stuff to work. Being able to give everyone a public IP, and even being able to give every device a public will become something consumers will demand. Not everyone, but the apps and systems will drive the need. Right now there are no “killer apps” that take advantage of the advantages of v6. This already happens on the cell phone networks. Phones which can do V6 have access to more network features. Granted, the software rarely take advantage but they are there. Imagine the day when Microsoft says you can get this ultra cool new feature in the latest XboX if your provider supports IPv6. The Comcast pipes up and says they support it. Justin --- Justin Wilson j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On Jul 1, 2015, at 11:48 AM, Glen Waldrop gwl...@cngwireless.net wrote: For one I've got 5 PC's on this network that I use regularly, never had an issue. Secondly, whenever *anything* hinky is going on (here, there, QoS tweaking, etc) I torch the Ethernet connection to see what is going on and where it is being dropped. I forgot to mention earlier, we have had an issue with my Linux email server, security flaw, patched and now secured by the Mikrotik rather than it's own firewall. I see in my logs where people are attacking my network constantly. I'd much rather have 10-15 points to defend than hundreds. - Original Message - From: Paul Stewart p...@paulstewart.org To: af@afmug.com Sent: Wednesday, July 01, 2015 10:26 AM Subject: Re: [AFMUG] private ipv4 sale / leases One other comment around haven't had a security issue yet. I used to get the same argument from a former co-worker and my question was always how do you know you haven't had a security issue?. It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows server had been pawned and they didn't believe me at first - then I showed that for the previous 3 years someone had full access remotely to that server and had been gathering data from it on regular basis. This server was behind two layers of firewalls, host IDS, network IDS, anti-spyware, and anti-virus. Pretty extreme example but have seen it happen more than once... -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 11:16 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Maybe I need to study a bit more, but I run MT, haven't had a security issue yet. I've got a firewall configured on the MT. The only way I see into my network is owning one of my routers, though you guys may educate me. We've had plenty of attempts. The only thing that has successfully shut us down so far was the DNS DDoS attack saturating our fiber. I know nothing is 100% secure, but not having my personal network directly on the Internet certainly seems better to me. - Original Message - From: Ken Hohhof af...@kwisp.com To: af@afmug.com Sent: Wednesday, July 01, 2015 10:09 AM Subject: Re: [AFMUG] private ipv4 sale / leases NAT is not security through obscurity, unless you're referring to 1:1 NAT which is not what most people mean when they say NAT. Setting up NAT in a Mikrotik illuminates the situation. In order for NAT (actually overloaded dynamic NAT/PAT) to work, you must turn on connection tracking, allow incoming established and related, and block all other inbound traffic unless port forwarding is set up via dstnat. In other words, a stateful firewall. Now if you're talking about advanced firewall functions like detecting/blocking/reporting intrusion attempts, yeah that's great, but it's beyond what 99.99% of people implement in their firewall. -Original Message- From: Paul Stewart Sent: Wednesday, July 01, 2015 9:52 AM To: af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases I'm not sure your argument
Re: [AFMUG] private ipv4 sale / leases
I love this. It should be published in the book of Steveisms. ___ Mangled by my iPhone. ___ Tyler Treat tyler.tr...@cornbelttech.commailto:tyler.tr...@cornbelttech.com ___ On Jul 1, 2015, at 12:26 PM, That One Guy /sarcasm thatoneguyst...@gmail.commailto:thatoneguyst...@gmail.com wrote: I correlate the NAT security to a daughters bedroom. Most fathers dont have an exterior door on their daughters bedroom You dont just walk directly in, sure somebody can put a ladder to her window (port forward) but by defaul there is a slight measure of security because you have to come in the house door and traverse your way to her bedroom Now, its always best to have a firewall (you put the daughters bedroom at the end of the hall past dads room) Then to be super secure, you put in a Smith and Wesson IDS On Wed, Jul 1, 2015 at 11:25 AM, Justin Wilson - MTIN li...@mtin.netmailto:li...@mtin.net wrote: Very Correct Glen. Nat is not secure. It’s like blending your door into the rest of your house. The door is still there just a little harder to find. But if there are no locks it’s still an unlocked door. Justin --- Justin Wilson j...@mtin.netmailto:j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On Jul 1, 2015, at 12:21 PM, Glen Waldrop gwl...@cngwireless.netmailto:gwl...@cngwireless.net wrote: I think we're having two different conversations here. I'm using NAT with a firewall. I don't think anyone is saying NAT by itself is secure. - Original Message - From: Justin Wilson - MTINmailto:li...@mtin.net To: af@afmug.commailto:af@afmug.com Sent: Wednesday, July 01, 2015 11:01 AM Subject: Re: [AFMUG] private ipv4 sale / leases IPV6 is very DNS orientated. There is no way you are going to remember ip addresses like you do in V4. DNS and backend systems are going to become more and more critical to the ISPs who are providing V6. Also, IMHO, more and more managed routers are going to be deployed as folks go to V6. Those who support customer owned routers will be overwhelmed if they follow the same philosophy with V6 routers. Full IPv6 support is severely lacking in many manufacturers. So, now you have semi-compliant devices out there with buggy software doing weird things. This becomes a troubleshooting nightmare for folks.To combat this I think we will see those deploying V6 sending out a “modem” or managed router that is the endpoint. Right now, if you are running your CPE in router mode (which I encourage) your options for V6 support are very limited. Mikrotik will do this. UBNT won’t. Cambium won’t. The false sense of security folks have fallen into is Nat is just security by obscurity. It’s not really security. For the typical home user it’s on the borderline of good enough. As folks move away from nat to V6 you will also see performance increases on higher bandwidth circuits. Nat causes a performance hit. The router has to keep track of translation tables and the like. V6 still travels over port 80, 110,etc. You simply need a firewall that understands V6 and away you go. This is where IP management software can help you. Some of them out there can export to DNS, can create iptables rules, etc. With V6 the goal is to have more things automated on the backend. Justin --- Justin Wilson j...@mtin.netmailto:j...@mtin.net http://www.mtin.nethttp://www.mtin.net/ Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.comhttp://www.thebrotherswisp.com/ Podcast about xISP topics http://www.midwest-ix.comhttp://www.midwest-ix.com/ Peering – Transit – Internet Exchange On Jul 1, 2015, at 11:38 AM, That One Guy /sarcasm thatoneguyst...@gmail.commailto:thatoneguyst...@gmail.com wrote: I guess Im stuck in the limited space mindset with NAT but many of our clients have multiple mail serverish devices on their networks that all need to present as the same IP to meet reverse DNS and spf I dont now whether my mindest on that is efficient or lazy We have alot of firewall access policies on our clients that limit access to only coming from our office firewall, nothing else, I suppose we could add all our workstations to that policy, or a subnet ( I assume ip6 has subnets) On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewart p...@paulstewart.orgmailto:p...@paulstewart.org wrote: One other comment around haven't had a security issue yet. I used to get the same argument from a former co-worker and my question was always how do you know you haven't had a security issue?. It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows server had been pawned and they didn't
Re: [AFMUG] private ipv4 sale / leases
Very Correct Glen. Nat is not secure. It’s like blending your door into the rest of your house. The door is still there just a little harder to find. But if there are no locks it’s still an unlocked door. Justin --- Justin Wilson j...@mtin.net http://www.mtin.net http://www.mtin.net/ Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com http://www.thebrotherswisp.com/ Podcast about xISP topics http://www.midwest-ix.com http://www.midwest-ix.com/ Peering – Transit – Internet Exchange On Jul 1, 2015, at 12:21 PM, Glen Waldrop gwl...@cngwireless.net wrote: I think we're having two different conversations here. I'm using NAT with a firewall. I don't think anyone is saying NAT by itself is secure. - Original Message - From: Justin Wilson - MTIN mailto:li...@mtin.net To: af@afmug.com mailto:af@afmug.com Sent: Wednesday, July 01, 2015 11:01 AM Subject: Re: [AFMUG] private ipv4 sale / leases IPV6 is very DNS orientated. There is no way you are going to remember ip addresses like you do in V4. DNS and backend systems are going to become more and more critical to the ISPs who are providing V6. Also, IMHO, more and more managed routers are going to be deployed as folks go to V6. Those who support customer owned routers will be overwhelmed if they follow the same philosophy with V6 routers. Full IPv6 support is severely lacking in many manufacturers. So, now you have semi-compliant devices out there with buggy software doing weird things. This becomes a troubleshooting nightmare for folks.To combat this I think we will see those deploying V6 sending out a “modem” or managed router that is the endpoint. Right now, if you are running your CPE in router mode (which I encourage) your options for V6 support are very limited. Mikrotik will do this. UBNT won’t. Cambium won’t. The false sense of security folks have fallen into is Nat is just security by obscurity. It’s not really security. For the typical home user it’s on the borderline of good enough. As folks move away from nat to V6 you will also see performance increases on higher bandwidth circuits. Nat causes a performance hit. The router has to keep track of translation tables and the like. V6 still travels over port 80, 110,etc. You simply need a firewall that understands V6 and away you go. This is where IP management software can help you. Some of them out there can export to DNS, can create iptables rules, etc. With V6 the goal is to have more things automated on the backend. Justin --- Justin Wilson j...@mtin.net mailto:j...@mtin.net http://www.mtin.net http://www.mtin.net/ Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com http://www.thebrotherswisp.com/ Podcast about xISP topics http://www.midwest-ix.com http://www.midwest-ix.com/ Peering – Transit – Internet Exchange On Jul 1, 2015, at 11:38 AM, That One Guy /sarcasm thatoneguyst...@gmail.com mailto:thatoneguyst...@gmail.com wrote: I guess Im stuck in the limited space mindset with NAT but many of our clients have multiple mail serverish devices on their networks that all need to present as the same IP to meet reverse DNS and spf I dont now whether my mindest on that is efficient or lazy We have alot of firewall access policies on our clients that limit access to only coming from our office firewall, nothing else, I suppose we could add all our workstations to that policy, or a subnet ( I assume ip6 has subnets) On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewart p...@paulstewart.org mailto:p...@paulstewart.org wrote: One other comment around haven't had a security issue yet. I used to get the same argument from a former co-worker and my question was always how do you know you haven't had a security issue?. It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows server had been pawned and they didn't believe me at first - then I showed that for the previous 3 years someone had full access remotely to that server and had been gathering data from it on regular basis. This server was behind two layers of firewalls, host IDS, network IDS, anti-spyware, and anti-virus. Pretty extreme example but have seen it happen more than once... -Original Message- From: Af [mailto:af-boun...@afmug.com mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 11:16 AM To: af@afmug.com mailto:af@afmug.com Subject: Re: [AFMUG] private ipv4 sale / leases Maybe I need to study a bit more, but I run MT, haven't had a security issue yet. I've got a firewall configured on the MT. The only way I see into my network is owning one of my routers, though you guys may educate me. We've had plenty
Re: [AFMUG] private ipv4 sale / leases
So how does this work? The boss dicked me on prior request. Will arin start enforcing allocations and recover the pirate space? I just got a /24 from our upstream but that's going away in the near term when they do some magic, I freed most of our /22 to reallocate appropriately for a request, with a lot of Nat. Is Xerox going to have to give up their bazillion before they tank me on our space? Does ip6 even NAT bro? On Jun 30, 2015 11:17 PM, TJ Trout t...@voltbb.com wrote: well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol
[AFMUG] private ipv4 sale / leases
well ipv4 is officially gone. has anyone done any private ipv4 acquisitions? or black market? lol