[Cialug] Slightly OT - IPv6 sillyness
Jonathan C. Bailey
jbailey at co.marshall.ia.us
Wed Jul 9 15:07:31 CDT 2014
Our allocation is public as is our machine addressing.
We allow inbound IPv6 the exact same way as we did with IPv4 behind the NAT - RELATED traffic only.
We also have ports opened for things such as public webservers, etc. No change from the v4 days.
Jonathan Bailey
Marshall County, Iowa
1 E Main St, Marshalltown, IA 50158
P: 641-844-2804 / C: 641-351-9631
No trees were killed in the sending of this email. However several billion electrons were terribly inconvenienced.
----- Original Message -----
From: "L. V. Lammert" <lvl at omnitec.net>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Wednesday, July 9, 2014 2:44:45 PM
Subject: Re: [Cialug] Slightly OT - IPv6 sillyness
On Wed, 9 Jul 2014, Jonathan C. Bailey wrote:
> You have ULA with IPv6 (roughly the same as RFC1918), but why? The
> whole point (well, one of them) of IPv6 is to get rid of NAT. Besides,
> NAT shouldn't be treated as a security measure.
>
Guess you've never had Wondoze boxes on your network <g>?
Seriouisly, what is with this attitude [of IPb6 folks]? The FIRST step of
ANY security policy is to block all inbound traffic, and using an offnet
address is the best way to do that.
Does IPv6 mean we are supposed to throw common sense out the window?
> We're running IPv6 in production (have our own /48 from ARIN) and have
> basic/sane firewall rules in place (ie. allow related inbound only). So
> far, it's worked well with very little exposure.
>
Well, would not a private subnet mean *no* inbound exposure?
Lee
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list