Understood. One more alternative to just keep the existing load-balancer
infrastructure is to setup a NAT-PT box. Again, even if this may not scale
for millions of users, it may be a good solution for the few users that can
be accessing with IPv6 your contents.
Of course, all this may not necessa
This is one of the ways some load-balancer vendors do IPv6 today. They still
talk IPv4 to the servers, so you don't need to modify anything, just add an
managed by the load balancer. It is a kind of combination between
NAT-PT and load-balancer.
Regards,
Jordi
> De: matthew zeier <[EMAIL
:-> "Krichbaum," == Krichbaum, Eric <[EMAIL PROTECTED]> writes:
> I saw this question a while ago but no (maybe one) answers. Who does
> have IPv6 in production today. Of the fixedorbit.com top ten for
> example?
> 701 (MCI) - ?
yes, but from 12702 (at least in europe)
two replies here. i ([EMAIL PROTECTED]) said:
> > quagga ospf6d works great, and currently lacks only a health check API.
Donald Stahl <[EMAIL PROTECTED]> answered:
> Health checks are unfortunately the most important aspect of a LB for some
> people.
understood.
> Can you elaborate on where
Krichbaum, Eric wrote:
> I saw this question a while ago but no (maybe one) answers. Who does
> have IPv6 in production today. Of the fixedorbit.com top ten for
> example?
http://www.sixxs.net/tools/grh/lg/
You can check the routing tables for which ASN's are active or check
the DFP list to see
On Mon, Jun 04, 2007 at 07:29:03AM +, Paul Vixie wrote:
> > If you're load-balancing N nodes, and 1 node dies, the distribution hash
> > is re-calced and TCP sessions to all N are terminated simultaneously.
>
> i could just say that since i'm serving mostly UDP i don't care about this,
> but
On Sun, Jun 03, 2007 at 07:33:45PM -0700,
Stephen Satchell <[EMAIL PROTECTED]> wrote
a message of 29 lines which said:
> The last time I renumbered, I found that quite a few people were not
> honoring the TTLs I put in my DNS zone files. [...] Custom customer
> zone files hosted elsewhere?
Do
On 2-jun-2007, at 23:07, Donald Stahl wrote:
The simplistic answer is that nearly all assigned/allocated blocks
will be minimum-sized, which means ISPs will be capable of
filtering deaggregates if they wish. Some folks have proposed
allowing a few extra bits for routes with short AS_PATHs
Antonio Querubin wrote:
> On Mon, 4 Jun 2007, Jeroen Massar wrote:
>
>> Please at least honor: ip6.de.easynet.net/ipv6-minimum-peering.txt
>
> A typical trans-Pacific path is significantly longer than a typical
> trans-Atlantic path. The < 40 ms policy recommendation in the above is
> unrealisti
On 4-jun-2007, at 4:33, Stephen Satchell wrote:
The last time I renumbered, I found that quite a few people were
not honoring the TTLs I put in my DNS zone files. I would clone
the new address and monitor traffic to the old address -- and it
took up to seven days for the traffic to the ol
Krichbaum, Eric <[EMAIL PROTECTED]> wrote:
> I saw this question a while ago but no (maybe one) answers. Who does
> have IPv6 in production today. Of the fixedorbit.com top ten for
> example?
>
> 701 (MCI) - ?
Yes, although I don't know whether tunneled or not. I see 16 prefixes
through 701. 1
Nathan Ward <[EMAIL PROTECTED]> wrote:
> The other mode would be to set up mail.ipv6.yahoo.com and have
> customers use that for whatever protocol they send/receive mail with,
> and not point an MX at an for the time being.
Actually I would do it the other way around, adding to th
> It depends on the length of those TCP sockets. If you were load-balancing
> the increasingly common video-over-http, it would be very unacceptable.
yes. i believe i said that my preferred approach works really well with UDP
and marginally well with current WWW. video over http is an example o
The last time I renumbered, I found that quite a few people were not
honoring the TTLs I put in my DNS zone files. [...] Custom customer
zone files hosted elsewhere?
Do not forget that applications have their own caches, too, and they
typically ignore completely the DNS TTL. A typical Web brow
Adrian Chadd wrote:
> On Mon, Jun 04, 2007, Sam Stickland wrote:
>
>> Personally I hate NAT. But I currently work in a large enterprise
>> environment and NAT is suprisingly popular. I came from a service
>> provider background and some of the attitudes I've discovered towards
>> private addre
Even people I have spoken that understand the difference between
firewalling/reachability and NATing are still in favour of NAT. The argument
basically goes "Yes, I understand that have a public address does not
neccessarily mean being publically reachable. But having a private address
means
> From [EMAIL PROTECTED] Mon Jun 4 13:54:55 2007
> Subject: Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
> Date: Mon, 4 Jun 2007 14:47:06 -0400
>
> On 4-Jun-2007, at 14:32, Jim Shankland wrote:
>
> > Shall I do the experiment again where I set up a Linux box
> > at an RFC1918 address,
[EMAIL PROTECTED] wrote:
On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
*No* security gain? No protection against port scans from Bucharest?
No protection for a machine that is used in practice only on the
local, office LAN? Or to access a single, corporate Web site?
Nope. Zip. Zer
On Mon, Jun 04, 2007 at 11:47:15AM -0700, Owen DeLong wrote:
> >*No* security gain? No protection against port scans from Bucharest?
> >No protection for a machine that is used in practice only on the
> >local, office LAN? Or to access a single, corporate Web site?
> >
> Correct. There's nothin
On Mon, 04 Jun 2007 12:20:38 PDT, Jim Shankland said:
> I can't pass over Valdis's statement that a "good properly configured
> stateful firewall should be doing [this] already" without noting
> that on today's Internet, the gap between "should" and "is" is
> often large.
Let's not forget all the
On Monday 04 June 2007 13:54, [EMAIL PROTECTED] wrote:
> On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> > *No* security gain? No protection against port scans from Bucharest?
> > No protection for a machine that is used in practice only on the
> > local, office LAN? Or to access a singl
I have a hard time finding people who know what an Avaya converged
network analyzer is in my social circle, so I turn to you folks to see if
anyone has any experience with them.
We have had one deployed at our edge for awhile and I wanted to compare notes
on performance with other folk
On 4-Jun-2007, at 02:03, Colm MacCarthaigh wrote:
On Mon, Jun 04, 2007 at 02:53:52AM +, Paul Vixie wrote:
ipv6 load balancers exist, one's current load balancer is/may
probably
not be up to the task.
my favourite load balancer is OSPF ECMP, since there are no extra
boxes,
just the
> On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
> > Owen DeLong <[EMAIL PROTECTED]> writes:
> >> There's no security gain from not having real IPs on machines.
> >> Any belief that there is results from a lack of understanding.
> > This is one of those assertions that gets repeated so often
[EMAIL PROTECTED] writes:
> Let's not forget all the NAT boxes out there that are *perfectly*
> willing to let a system make an *outbound* connection. So the user
> makes a first outbound connection to visit a web page, gets exploited,
> and the exploit then phones home to download more malware.
> As with all things, the trick is to weigh the risk of disaster against the
> probability of benefit and do whatever makes sense within your own
> particular constraints.
is nobody using a host based solution to this? that is, are times when HA LB
is needed for TCP (like video over http) also s
JS> Date: Mon, 04 Jun 2007 12:20:38 -0700
JS> From: Jim Shankland
JS> If what you meant to say is that NAT provides no security benefits
JS> that can't also be provided by other means, then I completely
What Owen said is that "[t]here's no security gain from not having real
IPs on machines". Th
DI> Date: Mon, 04 Jun 2007 15:22:11 -0400
DI> From: Dave Israel
DI> So you make end devices unaddressable by normal means, and while it
DI> shouldn't give them more security, it turns out it does. No matter
DI> how much it shouldn't, and how much we wish it didn't, it does.
"Hey, this so-called
For all you "NAT is soo secure I need to NAT" folks please take the
time and read the following RFC that the IETF has carefully put
together to address all those arguments.
URL: http://myietf.unfix.org/documents/rfc4864.txt
Abstract:
8<-
On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:
On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
Owen DeLong <[EMAIL PROTECTED]> writes:
There's no security gain from not having real IPs on machines.
Any belief that there is results from a lack of understanding.
This is one of those
Matthew Palmer wrote:
I can think of one counter-example to this argument, and that's
SSL-protected services, where having a proxy, transparent or otherwise, in
your data stream just isn't going to work.
Not so. Look at: http://muffin.doit.org/docs/rfc/tunneling_ssl.html
S
- Forwarded message from [EMAIL PROTECTED] -
Date: Mon, 4 Jun 2007 18:58:26 -0400
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: NIST Special Publication 800-54 Draft - BGP Security
I made an announcement today during the ISP Security session (at NANOG40)
about the release the
Matthew Palmer wrote:
While "protection from mistakes" is a valid reason, it's a pretty
weak one.
It is indeed a weak reason but, evidently, much stronger as a straw
man argument. NAT is A security tool, not THE security tool.
I would say that those who rely on NAT for security are the ones
A core but often neglected factor in IT security is KIS. NAT,
particularly in the form of PAT, is an order of magnitude simpler to
administer than a stateful firewall with one-to-one address mappings.
Why would a stateful firewall have one-to-one address mappings? I'm not
even sure what you me
On Jun 4, 2007, at 9:51 PM, Donald Stahl wrote:
A SI firewall ruleset equivalent to PAT is a single rule on a
CheckPoint firewall (as an example):
Src: Internal - Dst: Any - Action: Allow
Done.
Done indeed! Botnet operators *love* this policy. This type of policy
is probably worse than
35 matches
Mail list logo
