Just to clarify, I'm agreeing with you.
IPv6 on the other hand would be security through obscurity if you don't
implement a firewall. Which I assume everyone would do. But we know what
happens when you ass-u-me.
-----Original Message-----
From: Glen Waldrop
Sent: Wednesday, July 01, 2015 10:15 AM
To: af@afmug.com
Subject: Re: [AFMUG] private ipv4 sale / leases
Maybe I need to study a bit more, but I run MT, haven't had a security issue
yet.
I've got a firewall configured on the MT. The only way I see into my network
is owning one of my routers, though you guys may educate me.
We've had plenty of attempts. The only thing that has successfully shut us
down so far was the DNS DDoS attack saturating our fiber.
I know nothing is 100% secure, but not having my personal network directly
on the Internet certainly seems better to me.
----- Original Message -----
From: "Ken Hohhof" <af...@kwisp.com>
To: <af@afmug.com>
Sent: Wednesday, July 01, 2015 10:09 AM
Subject: Re: [AFMUG] private ipv4 sale / leases
NAT is not security through obscurity, unless you're referring to 1:1 NAT
which is not what most people mean when they say NAT.
Setting up NAT in a Mikrotik illuminates the situation. In order for NAT
(actually overloaded dynamic NAT/PAT) to work, you must turn on connection
tracking, allow incoming established and related, and block all other
inbound traffic unless port forwarding is set up via dstnat.
In other words, a stateful firewall.
Now if you're talking about advanced firewall functions like
detecting/blocking/reporting intrusion attempts, yeah that's great, but
it's beyond what 99.99% of people implement in their firewall.
-----Original Message-----
From: Paul Stewart
Sent: Wednesday, July 01, 2015 9:52 AM
To: af@afmug.com
Subject: Re: [AFMUG] private ipv4 sale / leases
I'm not sure your argument is really valid.. NAT is "security through
obscurity" which translates to "zero additional security" also known as
"false security"
IPv6 behind a stateful firewall is just as secure - some folks would argue
it's more secure but that argument would take several paragraphs to get
into ;)
-----Original Message-----
From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop
Sent: Wednesday, July 1, 2015 10:01 AM
To: af@afmug.com
Subject: Re: [AFMUG] private ipv4 sale / leases
Yeah, but the great thing about NAT is that my network isn't public.
That is my primary argument with IPv6.
----- Original Message -----
From: "Chuck McCown" <ch...@wbmfg.com>
To: <af@afmug.com>
Sent: Wednesday, July 01, 2015 8:28 AM
Subject: Re: [AFMUG] private ipv4 sale / leases
You could use a single IPv6 to say, Mars.
And everyone on Mars could have their own static IP that uses the first
64
to get to Mars and the second 64 to get to all the subscribers. Assuming
routers exist that would do this.
-----Original Message-----
From: Matt
Sent: Wednesday, July 01, 2015 7:22 AM
To: af@afmug.com
Subject: Re: [AFMUG] private ipv4 sale / leases
Just saying that NAT is not needed. Every single IP gives you so much
address space that you will never be able to use it.
Essentially a number of globally routable set of static IPs come with
every IP such that one single IP could probably run the whole planet
right now.
You mean every /64 which is minimum customer assignment in most
respects does. A single IPv6 IP is still just a single IP.
