Re: ipv6 question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2011-01-03 at 18:09 -0600, Dave Ihnat wrote: 
> On Mon, Jan 03, 2011 at 04:14:58PM -0500, Michael H. Warfield wrote:
> > NAT is a vile and evil abomination which was created in a half assed
> > effort to extend the life of IPv4.

> Are you really proposing that all IPv6 addresses for LANs be exposed to
> the Internet?  That's what I think I'm reading.

The IPv6 firewalls on Linux are just as good as the IPv4 firewalls.  I
didn't start participating in IPv6 until I had decent firewalls.  But
that was 10 years ago now at this point.  That's old old news.

There is a wide spread myth that NAT and the fact that you are on
different addresses some how bestows upon you some measure of security.
As a leading security researcher, let me impress upon you that nothing
could be further from the truth.  You can security from the inherent
statefulness of your common consumer grade NAT but there are other forms
of NAT which do not convey this.  Merely the fact that your addresses
are mapped do not provide you with any protection.  It's the state
engine and the dynamic mapping that do this.  But, SURPRISE, that
exactly what's in a stateful firewall.  There is NO intrinsic advantage
of NAT over a decent stateful firewall.  None.

IPv6 also has a number of security advantages over IPv4, not the least
of which are "no broadcast address" and "virtually impossible to
comprehensively brute force scan".  That doesn't mean it can't be
scanned (the scans have to be more targeted and intelligent), but this
"scan the planet" scanning non-sense I see in my honeynets and
net-telescope every day (mostly ssh, vnc, and an occasional ftp, telnet,
and rdp) are a thing of the past.  Smurf attacks (attacks against the
local broadcast address) are a thing of the past.  UDP flood popup spam
is history (well, it should be now anyways, since MS fixed that crap).
There are big advantages to that insanely huge local subnet address
space.

> Cheers,
> --
> 	Dave Ihnat
> 	dihnat@xxxxxxxxxx

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw@xxxxxxxxxxxx
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux