ipv6 question

Michael H. Warfield mhw at WittsEnd.com
Tue Jan 4 03:52:35 UTC 2011 

On Mon, 2011-01-03 at 21:46 -0600, Dave Ihnat wrote: 
> On Mon, Jan 03, 2011 at 07:31:37PM -0500, Michael H. Warfield wrote:
> > The IPv6 firewalls on Linux are just as good as the IPv4 firewalls.  I
> > didn't start participating in IPv6 until I had decent firewalls.  But
> > that was 10 years ago now at this point.  That's old old news.
> 
> That's not my concern.  My concern is flooding the bloody 'Net with
> Sagans of IP addresses and traffic we simply never need to see.  I'm
> afraid, with the current IPv6 model, that's all too likely.

You already are.  The only question is the addresses on the packets.
It's not changing the number of packets, only the addresses.  You're not
flooding anybody with anything that wouldn't be there anyways.  You
don't leak packets just because you're now on a routable address.

> > There is a wide spread myth that NAT and the fact that you are on
> > different addresses some how bestows upon you some measure of security.

> Nope.  Just trying to keep the cr*p out of the public pipes.

Your not.  Not at all...  A packet is a packet is a packet whether it
has the address behind your firewall or some address of your NAT device
or some address of some gods forsaken CGN device.  In the security
business, this has some circles seriously concerned that an IP will only
track back to an ISP and there's no accountability beyond that.  Spam
will be an even worse nightmare if whitelists and blacklists become
useless.  You're living in a dream if you think NAT is doing you any
good at all.

> Cheers,
> --
> 	Dave Ihnat
> 	dihnat at dminet.com

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110103/4275909e/attachment.bin

More information about the users mailing list