13 May
2017
13 May
'17
7:54 a.m.
On 13 May 2017, at 13:36, Ruben ON3RVH
<on3rvh(a)on3rvh.be> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Even with v6 it is still standard and recommended procedure to block inbound (and
outbound) smb/cifs at the border routers
Of course, but I'm talking abot the general case, not just blocking of certain,
known-bad protocols.
A situation without NAT is vastly different. A misconfigued NAT shouldn't result in an
exposed internal network.
You need *positive action* in order to direct incoming connections to certain internal
hosts. Actually the vast
majority of installations of commercial firewalls just employ them as simple NAT routers,
go figure!
With IPv6 you need *positive action* to restrict them. The failure mode is completely
different (and indeed more
dangerous). Not speaking just of our AS, but, how many hotel/airport/railway WiFi access
will you expect to be
properly configured, if any? What happens with a software bug making traffic bypass the
filter?
With IPv4 and the lack of a biunivocal correspondence you have what I like to call "a
priori" protection.
With no NAT, however, you need "a posteriori" protection, that is, adding some
protection measures.
Last month I gave a talk in our Esnog conference (our Spanish femto-NANOG) proposing that
privacy
enhanced SLAAC IPv6 addresses shouldn't listen on the IPv6 equivalent of INADDR_ANY by
default.
Otherwise it can have really bad consequences.
As I said, it's going to be very interesting.
Borja.