dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12
share rss forum feed

paul248

join:2001-09-04

1 recommendation

reply to elwoodblues

Re: Status of ipv6 with Canadian ISP

said by elwoodblues:

We wouldn't be having this discussion if the ARIN would grow a pair and start taking back the Class A addresses that companies like Apple and HP have.

We would still be having this discussion; it would just be a few months later. You listed eight class A networks, but prior to the global IPv4 pool depletion in January 2011, we were burning through twenty class As per year!

See the graphs here:
»en.wikipedia.org/wiki/IPv4_addre···haustion

"The greatest shortcoming of the human race is our inability to understand the exponential function."
- Albert A. Bartlett, physicist

34764170

join:2007-09-06
Etobicoke, ON

1 recommendation

said by paul248:

We would still be having this discussion; it would just be a few months later. You listed eight class A networks, but prior to the global IPv4 pool depletion in January 2011, we were burning through twenty class As per year!

See the graphs here:
»en.wikipedia.org/wiki/IPv4_addre···haustion

"The greatest shortcoming of the human race is our inability to understand the exponential function."
- Albert A. Bartlett, physicist

Worrying about clawing back v4 space is so ridiculously short sighted. Even under the best circumstances that might buy no more than a year.. gimme a break.

Nope. Internet is closed. You're going to have to close up shop.


elwoodblues
Elwood Blues
Premium
join:2006-08-30
Somewhere in
kudos:2
Reviews:
·VMedia
said by 34764170:

said by paul248:

We would still be having this discussion; it would just be a few months later. You listed eight class A networks, but prior to the global IPv4 pool depletion in January 2011, we were burning through twenty class As per year!

See the graphs here:
»en.wikipedia.org/wiki/IPv4_addre···haustion

"The greatest shortcoming of the human race is our inability to understand the exponential function."
- Albert A. Bartlett, physicist

Worrying about clawing back v4 space is so ridiculously short sighted. Even under the best circumstances that might buy no more than a year.. gimme a break.

Nope. Internet is closed. You're going to have to close up shop.

I think we'd get more then a year out of it. Does every single device need a public IP? I know even if I had a whole mess of ip6's available to me, I wouldn't expose my devices.

While i can see the advantage to that, these days, no way in hell.
--
No, I didn't. Honest... I ran out of gas. I... I had a flat tire. I didn't have enough money for cab fare. My tux didn't come back from the cleaners. An old friend came in from out of town. Someone stole my car. There was an earthquake.......

34764170

join:2007-09-06
Etobicoke, ON

1 recommendation

said by elwoodblues:

I think we'd get more then a year out of it.

Too bad you're wrong.

said by elwoodblues:

Does every single device need a public IP? I know even if I had a whole mess of ip6's available to me, I wouldn't expose my devices.

While i can see the advantage to that, these days, no way in hell.

No one said you have to "expose" your devices but you're given the option of doing so as you please. Lots of people want that option of being able to do so.

Only people that know what they're doing should do so.

CPE will not do so by default unless the user has changed the settings.


elwoodblues
Elwood Blues
Premium
join:2006-08-30
Somewhere in
kudos:2
Reviews:
·VMedia
said by 34764170:

No one said you have to "expose" your devices but you're given the option of doing so as you please. Lots of people want that option of being able to do so.

Only people that know what they're doing should do so.

What have you been smoking? Are you going to sit there and seriously tell me that you'd expose a IPv6 corporate network to the internet, "because you know what you're doing"?

I know what I'm doing and and in no way in hell would I expose a home network, let alone a corporate one to the Internet.

I have /28 address space at work and for us, it's perfect.
--
No, I didn't. Honest... I ran out of gas. I... I had a flat tire. I didn't have enough money for cab fare. My tux didn't come back from the cleaners. An old friend came in from out of town. Someone stole my car. There was an earthquake.......

34764170

join:2007-09-06
Etobicoke, ON

1 recommendation

said by elwoodblues:

What have you been smoking? Are you going to sit there and seriously tell me that you'd expose a IPv6 corporate network to the internet, "because you know what you're doing"?

I know what I'm doing and and in no way in hell would I expose a home network, let alone a corporate one to the Internet.

I have /28 address space at work and for us, it's perfect.

I could say the same to you. If I need to access services provided by systems within the inside network, then yes. How am I supposed to do that without exposing them to the net? You're telling me you have never setup port forwarding for anything on your network with IPv4?

Gami00

join:2010-03-11
Mississauga, ON
reply to elwoodblues
Aren't there private blocks of IP6 as well? just like IP4?

i don't get this exposing all devices to the internet deal when it works so much similar to IP4, that all these fears and nonsense seem to be worthless.

stevey_frac

join:2009-12-09
Cambridge, ON
Reviews:
·TekSavvy Cable

1 recommendation

reply to elwoodblues
Just because you have a publicly routable IP address, doesn't mean that you have to disable your residential gateway's firewall. You can still get NAT levels of protection with public IPs.

You can still deny incoming connections by default, you can still set up exceptions lists, and do all those wonderful things. You just now have a unique IP in the entire world, instead of only unique within your household. No biggy.

34764170

join:2007-09-06
Etobicoke, ON

1 recommendation

reply to Gami00
said by Gami00:

all these fears and nonsense seem to be worthless.

The fears and nonsense comes from a lack of understanding of how firewalls and NAT works.


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

1 recommendation

reply to elwoodblues
said by elwoodblues:

I know what I'm doing

That's where you lost me.

It's perfectly possible to run an inside network with publicly-routable IP addresses and protect it with the same firewall you use for your residential network.

Many, possibly including you, confuse "NAT" with "firewall", and those who believe you can only protect with NAT are saying very clear that they do not know what they're doing.

Steve
--
Stephen J. Friedl | Unix Wizard | Security Consultant | Orange County, California USA | my web site


elwoodblues
Elwood Blues
Premium
join:2006-08-30
Somewhere in
kudos:2
Reviews:
·VMedia

1 recommendation

reply to 34764170
I think this is where we are confused.

Yes everything I have set-up is with port forwarding. I'm getting the impression from you that with IPv6 you would just open up an entire server (and perhaps workstations) to the net, since there would such a plethora of ip space
--
No, I didn't. Honest... I ran out of gas. I... I had a flat tire. I didn't have enough money for cab fare. My tux didn't come back from the cleaners. An old friend came in from out of town. Someone stole my car. There was an earthquake.......


elwoodblues
Elwood Blues
Premium
join:2006-08-30
Somewhere in
kudos:2

1 recommendation

reply to Steve
I don't confuse NAT with Firewall by any means.


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

1 recommendation

reply to elwoodblues
said by elwoodblues:

I think this is where we are confused.

If you believe that running a standard, non-NAT, routed network is the same as being wide open to the internet, it's clearly you who are confused.

It's totally possible and straightforward to set up firewall rules that don't involve NAT but still provide the same level of protection you have with your NAT at home.

The thing is: It's not NAT that provide the security, it's the stateful inspection, that same inspection being part of the non-NAT firewall.

Steve
--
Stephen J. Friedl | Unix Wizard | Security Consultant | Orange County, California USA | my web site

34764170

join:2007-09-06
Etobicoke, ON

1 recommendation

reply to elwoodblues
said by elwoodblues:

I think this is where we are confused.

Yes everything I have set-up is with port forwarding. I'm getting the impression from you that with IPv6 you would just open up an entire server (and perhaps workstations) to the net, since there would such a plethora of ip space

No, firewalls whether in a business environment or at home should have a default block all policy. That results in having the same behaviour as NAT which "blocks" traffic since there is no mapping between the outside routable IP and inside address(es) until there is port forwarding implemented. I meant being able to apply pass/allow rules to a firewall to allow certain services to be accessible from the outside. Which is functionality equivalent as using port forwarding although with more flexibility since each device also has a routable address.

InvalidError

join:2008-02-03
kudos:5

1 recommendation

reply to stevey_frac
said by stevey_frac:

You can still get NAT levels of protection with public IPs.

People who believe NAT is magically more secure simply misunderstand why it is so. Stateful firewalling is an intrinsic prerequisite to NAT: can't do NAT without stateful connection tracking to determine which packets belong to which LAN client.

As you said, stateful firewall on IPv6 is every bit as secure as NAT on IPv4: incoming connections get denied by default.