On 6/1/15 10:12 PM, Mark Andrews wrote:
In message <556D35DF.8080901@matthew.at>, Matthew Kaufman writes:
On 6/1/2015 6:32 PM, Mark Andrews wrote:
In message <CAL9jLaaQUP1UzoKag3Kuq8a5bMcB2q6Yg=B_=1fFWxRN6K-bNA@mail.gmail. com
, Christopher Morrow writes: On Mon, Jun 1, 2015 at 9:02 PM, Ca By <cb.list6@gmail.com> wrote:
On Monday, June 1, 2015, Mark Andrews <marka@isc.org> wrote:
In message <CAL9jLaYXCdfViHbUPx-=rs4vSx5mFECpfuE8b7VQ+Au2hCXpMQ@mail.gmail.com> , Christopher Morrow writes: > So... I don't really see any of the above arguments for v6 in a vm > setup to really hold water in the short term at least. I think for > sure you'll want v6 for public services 'soon' (arguably like 10 yrs > ago so you'd get practice and operational experience and ...) but for > the rest sure it's 'nice', and 'cute', but really not required for > operations (unless you have v6 only customers) Everyone has effectively IPv6-only customers today. IPv6 native + CGN only works for services. Similarly DS-Lite and 464XLAT. ok, and for the example of 'put my service in the cloud' ... the service is still accessible over ipv4 right? It depends on what you are trying to do. Having something in the cloud manage something at home. You can't reach the home over IPv4 more and more these days as. IPv6 is the escape path for that but you need both ends to be able to speak IPv6. ...and for firewalls to not exist. Since they do, absolutely all the techniques required to "reach something at home" over IPv4 are required for IPv6. This is on the "great myths of the advantages of IPv6" list. For IPv4 you port forward in the NAT possibly doing port translation as will as address translation.
Takes about 30 seconds in the web interface of your CPE.
For IPv6 you open the port inbound in the firewall or just move the firewalling to the host.
Takes about 30 seconds in the web interface of your CPE.
IPv6 is easier. With modern machines you really can get rid of the firewall in front of the machine.
For the good of the botnet operators, I encourage doing this. I can't run my laser printer without a firewall in front of it, and I can't even guess how secure the controller in the septic system pump box might be... so I don't risk it. And I *know* that some of the webcams I have are vulnerable and have no updates available.
Lots of the equipement that connects to the home nets spends plenty of time fully exposed to the Internet w/o a firewall.
I don't believe that's accurate.
If it does that why does it need a firewall at home?
There is a myth that you need a firewall at home.
Perpetuated by all the actual cases of poorly designed operating systems and embedded systems getting attacked and making the news as a result (http://www.insecam.org/ among others)
IPv6 has exactly one benefit... there's more addresses. It comes with a whole lot of new pain points, and probably a bunch of security nightmare still waiting to be discovered. And it for sure isn't free. It also remove a whole lot of complications. Simplifies the security profile.
If you think that the NDP DOS exposure is a "simplification" of security, then I'd love to hear more about the benefits of IPv6. Matthew Kaufman