Again Bill, the NAT process layer is not involved in dropping unwanted traffic
until the packet is at least four/five levels deep. On ingress, a firewall will
check if there is any flow/stream associated to it, ensure the packet follows
the applicable protocol state machine, process it against
On Fri, Feb 16, 2024 at 7:41 PM John R. Levine wrote:
> > That it's possible to implement network security well without using
> > NAT does not contradict the claim that NAT enhances network security.
>
> I think we're each overgeneralizing from our individual expeience.
>
> You can configure a V6
That it's possible to implement network security well without using
NAT does not contradict the claim that NAT enhances network security.
I think we're each overgeneralizing from our individual expeience.
You can configure a V6 firewall to be default closed as easily as you can
configure a
On Fri, Feb 16, 2024 at 7:10 PM John Levine wrote:
> If you configure your firewall wrong, bad things will happen. I have both
> IPv6 and NAT IPv4 on my network here and I haven't found it particularly
> hard to get the config correct for IPv6.
Hi John,
That it's possible to implement network
It appears that William Herrin said:
>Now suppose I have a firewall at 199.33.225.1 with an internal network
>of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch
>that accepts telnet connections with a user/password of admin/admin.
>On the firewall, I program it to do NAT
On 2024-02-09 18:10, Justin Krejci wrote:
For a good long while (months) we have had similar issues with various
Verizon destinations.
Only Verizon *Wireless* destinations, or other Verizon *Business* things?
As of today, I'm told (via an upstream provider) that Verizon Business
says this is
On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel wrote:
> Depending on where that rule is placed within your ACL, yes that can happen
> with *ANY* address family.
Hi Ryan,
Correct. The examples illustrated a difference between a firewall
implementing address-overloaded NAT and a firewall
sronan,
A subnet can come from the ISP (residential/small business), or business is
utilizing BGP with their upstream. When V6 is in use, a firewall does not need
to perform NAT, just stateful flow inspection and applying the applicable rules
based on the zone and/or interface.
Bill,
On Fri, Feb 16, 2024 at 5:45 PM wrote:
> Why is your Internal v6 subnet advertised to the Internet?
Because that was the example network -without- NAT. If I made two
networks -with- NAT, there would be no difference to show.
I make 2602:815:6000::/44 be 199.33.224.0/23, make 2602:815:6001::/64
Why is your Internal v6 subnet advertised to the Internet?
> On Feb 16, 2024, at 8:08 PM, William Herrin wrote:
>
> On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
>> If you know which subnets need to be NAT'd don't you also know which
>> ones shouldn't exposed to incoming connections
On Fri, Feb 16, 2024 at 5:33 PM Michael Thomas wrote:
> So you're not going to address that this is a management plain problem.
Hi Mike,
What is there to address? I already said that NAT's security
enhancement comes into play when a -mistake- is made with the network
configuration. You want me
On 2/16/24 5:30 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 5:22 PM Michael Thomas wrote:
On 2/16/24 5:05 PM, William Herrin wrote:
Now, I make a mistake on my firewall. I insert a rule intended to
allow packets outbound from 2602:815:6001::4 but I fat-finger it and
so it allows them
On Fri, Feb 16, 2024 at 5:22 PM Michael Thomas wrote:
> On 2/16/24 5:05 PM, William Herrin wrote:
> > Now, I make a mistake on my firewall. I insert a rule intended to
> > allow packets outbound from 2602:815:6001::4 but I fat-finger it and
> > so it allows them inbound to that address instead.
On 2/16/24 5:05 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
If you know which subnets need to be NAT'd don't you also know which
ones shouldn't exposed to incoming connections (or conversely, which
should be permitted)? It seems to me that all you're doing
On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
> If you know which subnets need to be NAT'd don't you also know which
> ones shouldn't exposed to incoming connections (or conversely, which
> should be permitted)? It seems to me that all you're doing is moving
> around where that knowledge
> a lot of folks
> making statements about network security on this list don't appear to
> grasp it.
If your network is secure, it isn’t even possible to “accidentally” open
inbound ports in the first place. You either allow it to happen or you don’t
via security policy, anything else means
- Original Message -
> From: "William Herrin"
> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
>> > From: "Justin Streiner"
>> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>> > to accept in the v4 world.
>>
>> NAT doesn't "equal" security.
>>
>>
On 2/16/24 3:01 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
From: "Justin Streiner"
4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.
NAT doesn't "equal" security.
But it is certainly a *component*
On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
> > From: "Justin Streiner"
> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> > to accept in the v4 world.
>
> NAT doesn't "equal" security.
>
> But it is certainly a *component* of security, placing control
- Original Message -
> From: "Justin Streiner"
> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> to accept in the v4 world.
NAT doesn't "equal" security.
But it is certainly a *component* of security, placing control of what internal
nodes are accessible
It appears that Mike Hammett said:
>-=-=-=-=-=-
>
>" Does any IPv6 enabled ISP provide PTR records for mail servers?"
>
>
>I think people will conflate doing so at ISP-scale and doing so at residential
>hobbiyst scale (and everything in between). One would
>expect differences in outcomes of
This is an automated weekly mailing describing the state of the Global
IPv4 Routing Table as seen from APNIC's router in Japan.
The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
UKNOF, TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.
Daily listings are sent to
Justin H. wrote:
Hello,
We found out recently that we are on the HostingProviderIPList (found
here
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html)
at AWS and it's affecting our customers' access to various websites.
We are a datacenter, and a
It seems we’re the marketplace of record.
We do have some private transactions, that is, sales that take place outside of
our marketplace and therefore don’t appear on the prior-sales page. That’s
generally for /16 or larger, where one or both parties want custom terms that
differ from our
We (comcast.net) have been sending/receiving via IPv6 since 2012 or so. We do
have PTR records for our outbound IPv6 addresses, and expect them for inbound
IPv6 as well.Keeping in mind that a huge portion of inbound mail is
bulk/commercial and they have thus far largely avoided IPv6,
Evidence to support Tom's statement:
https://auctions.ipv4.global/prior-sales
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Original Message -
From: "Tom Beecher"
To: "Brian Knight"
Cc: nanog@nanog.org
inline
Christopher Hawker writes:
> Hi Christian,
>
> The idea to this is to allow new networks to emerge onto the internet,
> without potentially having to fork out
> substantial amounts of money.
That would then be using IPv6 with IPv4 transition translation etc at the
ingress/egress to
" Does any IPv6 enabled ISP provide PTR records for mail servers?"
I think people will conflate doing so at ISP-scale and doing so at residential
hobbiyst scale (and everything in between). One would expect differences in
outcomes of attempting PTR records in DIA vs. broadband.
"How does
" Think how many more sites could have IPv6 capability already if this wasted
effort had been put into that, instead. "
My assumption is not many because the people talking about this likely either
already have or will not deploy IPv6. Those that are willing to deploy IPv6,
but have not are
29 matches
Mail list logo
