On Mon, Feb 19, 2024 at 10:31 AM Tim Howe wrote:
> On Mon, 19 Feb 2024 10:01:06 -0800
> William Herrin wrote:
> > So when the user wants to run a home server, their IPv4 options are to
> > create a TCP or UDP port forward for a single service port or perhaps
> > create a generic port forward for
Some responses below.
On Mon, 19 Feb 2024 10:01:06 -0800
William Herrin wrote:
> > I've never once seen a device
> > that has v6 support and didn't have a stateful v6 firewall on by
> > default (if v6 was "on").
>
> Acknowledged.
>
> So when the user wants to run a home server, their IPv4 op
On Mon, Feb 19, 2024 at 9:44 AM Tim Howe wrote:
> FWIW, in the decade we have been providing dual-stack by default, I
> have made a bit of a hobby out of testing every CPE and SOHO router
> that I get may hands on in my PON lab.
Hi Tim,
I have not, so I'll defer to your experience.
> I've never
OpenWrt, from which much is derived, is default deny on ipv4 and ipv6.
The ipv6 firewall on most cable devices prior to the XB6 is very, very limited.
On Mon, Feb 19, 2024 at 12:44 PM William Herrin wrote:
>
> On Mon, Feb 19, 2024 at 9:23 AM Hunter Fuller wrote:
> > On Mon, Feb 19, 2024 at 11:1
On Mon, 19 Feb 2024 09:16:00 -0800
William Herrin wrote:
> I disagree with that one. Limiting discussion to the original security
> context (rather than the wider world of how useful IPv6 is without
> IPv4), IPv6 is typically delivered to "most people" without border
> security, while IPv4 is del
On Mon, Feb 19, 2024 at 9:23 AM Hunter Fuller wrote:
> On Mon, Feb 19, 2024 at 11:16 AM William Herrin wrote:
> > > There isn't really an advantage to using v4 NAT.
> > I disagree with that one. Limiting discussion to the original security
> > context (rather than the wider world of how useful IP
On Mon, Feb 19, 2024 at 11:16 AM William Herrin wrote:
> > There isn't really an advantage to using v4 NAT.
> I disagree with that one. Limiting discussion to the original security
> context (rather than the wider world of how useful IPv6 is without
> IPv4), IPv6 is typically delivered to "most pe
On Mon, Feb 19, 2024 at 9:00 AM Hunter Fuller wrote:
> I guess the point I'm making is, the methods we are using today for v6
> dual WAN, work fine for most people.
Hi Hunter,
I accept that point. It's wobbly on some of the details, but you're
talking "most" people, not everyone.
> There isn't
On Mon, Feb 19, 2024 at 10:22 AM William Herrin wrote:
> Yes and no. The client application has to be programmed to understand
> link-local addresses or it can't use them at all. You can't just say
> "connect to fe80::1." Even if there's an fe80::1 on your network, it
> doesn't work. The client ap
On Mon, Feb 19, 2024 at 8:08 AM Hunter Fuller wrote:
> On Mon, Feb 19, 2024 at 9:17 AM William Herrin wrote:
> > There's also the double-ISP loss scenario that causes Joe to lose all
> > global-scope IP addresses. He can overcome that by deploying ULA
> > addresses (a third set of IPv6 addresses)
On Mon, Feb 19, 2024 at 11:13 AM Hunter Fuller via NANOG
wrote:
>
> On Mon, Feb 19, 2024 at 9:29 AM Mike Hammett wrote:
> > "In IPv6's default operation, if Joe has two connections then each of
> > his computers has two IPv6 addresses and two default routes. If one
> > connection goes down, one o
mdns can still be "fun" in a wide variety of situations.
https://www.reddit.com/r/k12sysadmin/comments/9yghdx/chromebooks_and_peer_to_peer_updates_can_be/
I do not know to what extent the upgrade to unicast feature long
gestating in the IETF has been adopted.
On Mon, Feb 19, 2024 at 11:10 AM Hun
On Mon, Feb 19, 2024 at 9:29 AM Mike Hammett wrote:
> "In IPv6's default operation, if Joe has two connections then each of
> his computers has two IPv6 addresses and two default routes. If one
> connection goes down, one of the routes and sets of IP addresses goes
> away."
>
> This sounds like a
On Mon, Feb 19, 2024 at 9:17 AM William Herrin wrote:
> There's also the double-ISP loss scenario that causes Joe to lose all
> global-scope IP addresses. He can overcome that by deploying ULA
> addresses (a third set of IPv6 addresses) on the internal hosts, but
> convincing the internal network
www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> --
> *From: *"Michael Thomas"
> *To: *nanog@nanog.org
> *Sent: *Saturday, February 17, 2024 12:50:46 PM
> *Subject: *Re: IPv6 uptake
>
>
> On 2/17/24 10:26 AM, Owen De
On Mon, Feb 19, 2024 at 6:02 AM Howard, Lee
wrote:
> Most NATs I've seen in the last 10-15 years are "full cone" NATs: they are
> configured so that once there is an
> outbound flow, and inbound datagram to that address+port will be forwarded to
> the inside address, regardless
> of source.
Hi
igent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Original Message -
From: "William Herrin"
To: "Mike Hammett"
Cc: nanog@nanog.org
Sent: Monday, February 19, 2024 9:16:52 AM
Subject: Re: IPv6 uptake
On Mon, Feb 19,
On Mon, Feb 19, 2024 at 6:52 AM Mike Hammett wrote:
> "We can seriously lose NAT for v6 and not lose
> anything of worth."
>
> I'm not going to participate in the security conversation, but we
> do absolutely need something to fill the role of NAT in v6. If it's
> already there or not, I don't kno
is own, he's just going to do simple NAT.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Original Message -
From: "Michael Thomas"
To: nanog@nanog.org
Sent: Saturday, February 17, 2024 12:50:46 PM
On Mon, Feb 19, 2024 at 5:29 AM Howard, Lee via NANOG wrote:
> In the U.S., the largest operators without IPv6 are (in order by size):
> Lumen (CenturyLink)
CenturyLink has IPv6 using 6rd. It works fine.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
Bottom-posted with old school formatting by hand.
-Original Message-
From: NANOG On Behalf
Of William Herrin
Sent: Friday, February 16, 2024 8:05 PM
To: Michael Thomas
Cc: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)
> On the firewall, I program it to do
9 PM
To: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)
[You don't often get email from m...@mtcc.com. Learn why this is important at
https://aka.ms/LearnAboutSenderIdentification ]
This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links
and at
On Sun, 18 Feb 2024, 05:29 Owen DeLong via NANOG, wrote:
> Most firewalls are default deny. Routers are default allow unless you put
> a filter on the interface.
>
This is not relevant though. NAT when doing port overloading, as is the
case for most CPE, is not default-deny or default-allow. The
It appears that Nick Hilliard said:
>full control of all modems and they're all relatively recent, properly
>supported units, fully managed by the cable operator. If you start
>adding poor quality cheap units into the mix, it can cause service problems.
The cablecos I've dealt with have a list
Michael Thomas wrote on 18/02/2024 21:18:
So it has its own wireless? I seem to recall that there were some
economic reasons to use their CPE as little as possible to avoid rent.
Has that changed? Or can I run down and just buy a Cablelabs certified
router/modem these days?
There's no short a
On 2/18/24 1:10 PM, Nick Hilliard wrote:
Michael Thomas wrote on 18/02/2024 20:56:
That's really great to hear. Of course there is still the problem
with CPE that doesn't speak v6, but that's not their fault and gives
some reason to use their CPE.
Already solved: cable modem ipv6 support is
Michael Thomas wrote on 18/02/2024 20:56:
That's really great to hear. Of course there is still the problem with
CPE that doesn't speak v6, but that's not their fault and gives some
reason to use their CPE.
Already solved: cable modem ipv6 support is usually also excellent, both
in terms of s
On 2/18/24 12:50 PM, Nick Hilliard wrote:
Michael Thomas wrote on 18/02/2024 20:28:
I do know that Cablelabs pretty early on -- around the time I
mentioned above -- has been pushing for v6. Maybe Jason Livingood can
clue us in. Getting cable operators onboard too would certainly be a
good th
Michael Thomas wrote on 18/02/2024 20:28:
I do know that Cablelabs pretty early on -- around the time I
mentioned above -- has been pushing for v6. Maybe Jason Livingood can
clue us in. Getting cable operators onboard too would certainly be a
good thing,
availability of provider-side ipv6 sup
On 2/18/24 8:47 AM, Greg Skinner via NANOG wrote:
On Feb 17, 2024, at 11:27 AM, William Herrin wrote:
On Sat, Feb 17, 2024 at 10:34?AM Michael Thomas wrote:
Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
NAT.
And mine too, since I hadn't heard of "Firewalls and Int
On 2/17/24 11:27 AM, William Herrin wrote:
On Sat, Feb 17, 2024 at 10:34 AM Michael Thomas wrote:
I didn't hear about NAT until the
late 90's, iirc. I've definitely not heard of Gauntlet.
Then there are gaps in your knowledge.
Funny, I don't recall Bellovin and Cheswick's Firewall book dis
On Feb 17, 2024, at 11:27 AM, William Herrin wrote:
>
> On Sat, Feb 17, 2024 at 10:34?AM Michael Thomas wrote:
>
>> Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
>> NAT.
>
> And mine too, since I hadn't heard of "Firewalls and Internet
> Security: Repelling the Wily
Concerning the firewall book.
Firewalls and Internet Security, Second Edition
PDF online at
https://www.wilyhacker.com/fw2e.pdf
"Some people think that NAT boxes are a form of
firewall. In some sense, they are, but they're low-end ones."
On 2/17/24 10:22 AM, Justin Streiner wrote:
Getting back to the recently revised topic of this thread - IPv6 uptake -
what have peoples' experiences been related to crafting sane v6 firewall
rulesets in recent products from the major firewall players (Palo Alto,
Cisco, Fortinet, etc)? O
On 17/02/2024, 19:27:20, "William Herrin" wrote:
So it does not surprise me that a 1994 book on network security would
not have discussed NAT. They'd have referred to the comparable
contemporary technology, which was "transparent application layer
gateways." Those behaved like what we now call N
On Sat, Feb 17, 2024 at 10:34 AM Michael Thomas wrote:
> I didn't hear about NAT until the
> late 90's, iirc. I've definitely not heard of Gauntlet.
Then there are gaps in your knowledge.
> Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
> NAT.
And mine too, since I hadn'
On Sat, Feb 17, 2024 at 10:22 AM Justin Streiner wrote:
> Getting back to the recently revised topic of this thread - IPv6
> uptake - what have peoples' experiences been related to
> crafting sane v6 firewall rulesets in recent products from the
> major firewall players
On 2/17/24 10:26 AM, Owen DeLong via NANOG wrote:
On Feb 16, 2024, at 14:20, Jay R. Ashworth wrote:
- Original Message -
From: "Justin Streiner"
4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.
NAT doesn't "equal" security.
deep into the weeds on NAT in this thread - far deeper than I expected ;)Getting back to the recently revised topic of this thread - IPv6 uptake - what have peoples' experiences been related to crafting sane v6 firewall rulesets in recent products from the major firewall players (Palo Alto,
> Think of it like this: you have a guard, you have a fence and you have
> barbed wire on top of the fence. Can you secure the place without the
> barbed wire? Of course. Can an intruder defeat the barbed wire? Of
> course. Is it more secure -with- the barbed wire? Obviously.
>
NAT is like the b
Bill, same scenario, but instead of fat fingering an outbound rule, you fat
finger a port map for inbound connections to a different host and get the
destination address wrong.
Still hacked.
NAT doesn’t prevent fat fingers from getting you hacked, it just changes the
nature of the required f
On 2/16/24 6:33 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel wrote:
Depending on where that rule is placed within your ACL, yes that can happen
with *ANY* address family.
Hi Ryan,
Correct. The examples illustrated a difference between a firewall
implementing address
Most firewalls are default deny. Routers are default allow unless you put a
filter on the interface.
NAT adds nothing to security (Bill and I agree to disagree on this), but at
best, it complicates the audit trail.
Owen
> On Feb 16, 2024, at 15:19, Jay R. Ashworth wrote:
>
> - Origina
> On Feb 16, 2024, at 14:20, Jay R. Ashworth wrote:
>
> - Original Message -
>> From: "Justin Streiner"
>
>> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>> to accept in the v4 world.
>
> NAT doesn't "equal" security.
>
> But it is certainly a *compo
On Sat, Feb 17, 2024 at 10:03 AM Michael Thomas wrote:
> On 2/16/24 5:37 PM, William Herrin wrote:
> > What is there to address? I already said that NAT's security
> > enhancement comes into play when a -mistake- is made with the network
> > configuration. You want me to say it again? Okay, I've s
We went pretty deep into the weeds on NAT in this thread - far deeper than
I expected ;)
Getting back to the recently revised topic of this thread - IPv6 uptake -
what have peoples' experiences been related to crafting sane v6 firewall
rulesets in recent products from the major firewall pl
On 2/16/24 5:37 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 5:33 PM Michael Thomas wrote:
So you're not going to address that this is a management plain problem.
Hi Mike,
What is there to address? I already said that NAT's security
enhancement comes into play when a -mistake- is made
>
> Any given layer of security can be breached with expense and effort.
> Breaching every layer of security at the same time is more challenging
> than breaching any particular one of them. The use of NAT adds a layer
> of security to the system that is not otherwise there.
>
>
> Think of it like
, 2024 8:03 PM
To: John R. Levine
Cc: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)
Caution: This is an external email and may be malicious. Please take care when
clicking links or opening attachments.
On Fri, Feb 16, 2024 at 7:41 PM John R. Levine wrote:
> > That it
On Fri, Feb 16, 2024 at 7:41 PM John R. Levine wrote:
> > That it's possible to implement network security well without using
> > NAT does not contradict the claim that NAT enhances network security.
>
> I think we're each overgeneralizing from our individual expeience.
>
> You can configure a V6
That it's possible to implement network security well without using
NAT does not contradict the claim that NAT enhances network security.
I think we're each overgeneralizing from our individual expeience.
You can configure a V6 firewall to be default closed as easily as you can
configure a NAT
On Fri, Feb 16, 2024 at 7:10 PM John Levine wrote:
> If you configure your firewall wrong, bad things will happen. I have both
> IPv6 and NAT IPv4 on my network here and I haven't found it particularly
> hard to get the config correct for IPv6.
Hi John,
That it's possible to implement network s
It appears that William Herrin said:
>Now suppose I have a firewall at 199.33.225.1 with an internal network
>of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch
>that accepts telnet connections with a user/password of admin/admin.
>On the firewall, I program it to do NAT transl
On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel wrote:
> Depending on where that rule is placed within your ACL, yes that can happen
> with *ANY* address family.
Hi Ryan,
Correct. The examples illustrated a difference between a firewall
implementing address-overloaded NAT and a firewall implementing
5:44 PM
To: William Herrin
Cc: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)
Caution: This is an external email and may be malicious. Please take care when
clicking links or opening attachments.
Why is your Internal v6 subnet advertised to the Internet?
> On Feb 16, 202
On Fri, Feb 16, 2024 at 5:45 PM wrote:
> Why is your Internal v6 subnet advertised to the Internet?
Because that was the example network -without- NAT. If I made two
networks -with- NAT, there would be no difference to show.
I make 2602:815:6000::/44 be 199.33.224.0/23, make 2602:815:6001::/64
b
Why is your Internal v6 subnet advertised to the Internet?
> On Feb 16, 2024, at 8:08 PM, William Herrin wrote:
>
> On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
>> If you know which subnets need to be NAT'd don't you also know which
>> ones shouldn't exposed to incoming connections (o
On Fri, Feb 16, 2024 at 5:33 PM Michael Thomas wrote:
> So you're not going to address that this is a management plain problem.
Hi Mike,
What is there to address? I already said that NAT's security
enhancement comes into play when a -mistake- is made with the network
configuration. You want me t
On 2/16/24 5:30 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 5:22 PM Michael Thomas wrote:
On 2/16/24 5:05 PM, William Herrin wrote:
Now, I make a mistake on my firewall. I insert a rule intended to
allow packets outbound from 2602:815:6001::4 but I fat-finger it and
so it allows them i
On Fri, Feb 16, 2024 at 5:22 PM Michael Thomas wrote:
> On 2/16/24 5:05 PM, William Herrin wrote:
> > Now, I make a mistake on my firewall. I insert a rule intended to
> > allow packets outbound from 2602:815:6001::4 but I fat-finger it and
> > so it allows them inbound to that address instead. So
On 2/16/24 5:05 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
If you know which subnets need to be NAT'd don't you also know which
ones shouldn't exposed to incoming connections (or conversely, which
should be permitted)? It seems to me that all you're doing
On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas wrote:
> If you know which subnets need to be NAT'd don't you also know which
> ones shouldn't exposed to incoming connections (or conversely, which
> should be permitted)? It seems to me that all you're doing is moving
> around where that knowledge i
> a lot of folks
> making statements about network security on this list don't appear to
> grasp it.
If your network is secure, it isn’t even possible to “accidentally” open
inbound ports in the first place. You either allow it to happen or you don’t
via security policy, anything else means your
- Original Message -
> From: "William Herrin"
> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
>> > From: "Justin Streiner"
>> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>> > to accept in the v4 world.
>>
>> NAT doesn't "equal" security.
>>
>>
On 2/16/24 3:01 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
From: "Justin Streiner"
4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.
NAT doesn't "equal" security.
But it is certainly a *component* of
On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth wrote:
> > From: "Justin Streiner"
> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> > to accept in the v4 world.
>
> NAT doesn't "equal" security.
>
> But it is certainly a *component* of security, placing control of
- Original Message -
> From: "Justin Streiner"
> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> to accept in the v4 world.
NAT doesn't "equal" security.
But it is certainly a *component* of security, placing control of what internal
nodes are accessible f
On 2/15/24 9:40 PM, Justin Streiner wrote:
The Internet edge and core portion of deploying IPv6 - dual-stack or
otherwise - is fairly easy. I led efforts to do this at a large .edu
starting in 2010/11. The biggest hurdles are/were/might still be:
1. Coming up with a good address plan that will d
The Internet edge and core portion of deploying IPv6 - dual-stack or
otherwise - is fairly easy. I led efforts to do this at a large .edu
starting in 2010/11. The biggest hurdles are/were/might still be:
1. Coming up with a good address plan that will do what you want and scale
as needed. It shou
It appears that Stephen Satchell said:
>Several people in NANOG have opined that there are a number of mail
>servers on the Internet operating with IPv6 addresses. OK. I have a
>mail server, which has been on the Internet for decades. On IPv4.
>
>For the last four years, every attempt to get
Well all that shows is that your ISP is obstructionist. If they can can enter
a PTR record or delegate the reverse range to you for your IPv4 server they can
do it for your IPv6 addresses. In most cases it is actually easier as address
space is assigned on nibble boundaries (/48, /52, /56, /60,
Several people in NANOG have opined that there are a number of mail
servers on the Internet operating with IPv6 addresses. OK. I have a
mail server, which has been on the Internet for decades. On IPv4.
For the last four years, every attempt to get a PTR record in ip6.arpa
from my ISP has be
72 matches
Mail list logo