-----Original Message----- From: Naslund, Steve [mailto:SNaslund@medline.com] Sent: Monday, March 24, 2014 10:48 PM To: Owen DeLong; mark.tinka@seacom.mu Cc: nanog@nanog.org Subject: RE: misunderstanding scale
Look at it this way. If I see an attack coming from behind your NAT, I'm gonna deny all traffic coming from your NAT block until you assure me you have it fixed because I have no way of knowing which host it is coming from. Now your whole network is unreachable. If you have a compromised GUA host I can block only him. Better for both of us, no?
That is assuming that the infected piece does not request another address in the /64, and that the person blocking at the target end blocks a /128 instead of the /64.
How about a single host spamming behind your NAT blocking your entire corporate public network from email services? Anyone ever see that one. Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal with that.
I don't want to try to even think about SMTP on IPv6. Reputation of email servers as well as the whole thought process of spam control rely on a list of IP address. IPv6 adds an entirely new aspect to it.
Maybe GUAs will convince (scare) more enterprise users to actually treat the internal network as an environment that needs to be secured as well. We can only hope.
Most enterprise admins, segment their BYOD (wifi) network from the production network. Some will even use a different WAN ip for the wifi network or in the minimum block outbound request to well known services ports. I generally see where the only outbound connections allowed are http and https. All other ports are blocked.
Steven Naslund
Bzzzt... But thanks for playing.
An IPv6 host with a GUA behind a stateful firewall with default deny is every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44 gateway.
I can't argue there.....
Owen