[ipv6hackers] IPv6 security (slides and training)

fred bovy fred at fredbovy.com
Fri Nov 18 02:08:55 CET 2011



Le 17/11/11 19:28, << Cameron Byrne >> <cb.list6 at gmail.com> a écrit :

>On Nov 17, 2011 3:47 PM, "fred bovy" <fred at fredbovy.com> wrote:
>>
>>
>>
>> Le 12/11/11 01:09, << Doug Barton >> <dougb at dougbarton.us> a écrit :
>>
>> >On 11/11/2011 16:05, Douglas Otis wrote:
>> >> On 11/11/11 2:40 PM, Doug Barton wrote:
>> >>> > I think that the IPv4 folks will quickly have problems
>> >>> > communicating with
>> >>> >> their partners and customers running IPv6.
>> >>>  ... which is one of the big motivations to not be a first-mover to
>> >>>  IPv6 in the first place.
>> >>>
>> >> Doug,
>> >>
>> >> Disagree.  These partners also likely represent the land of
>> >> opportunity.  Rather than receiving a growing portion of traffic over
>> >> LSNs, offering IPv6 connectivity conveys better information when
>> >> deciding which exchanges to permit.  In addition, direct access
>>better
>> >> prevents MitM and broken double NAT issues.
>> >
>> >You guys keep missing the part where *I* agree with you.
>> >
>> >The question isn't, "Is IPv6 the right answer?" The question is, "Why
>>do
>> >so many organizations believe that CGN is a better answer?"
>>
>>
>> REALLY???? So give me some references of SP who have deployed NAT444???
>>
>> I am curiousŠ
>>
>> Fred
>>
>>
>
>Many mobile providers provide mifi hotspots or hotspots on phones that are
>effectively Nat444.


Ok Mobile provide wifi or hotspots... terrific!
Maybe it can also help Internet Cafe but is there any enterprise
interested to get connected via NAT444?
But even home users will not benefit from NAT444.` If the SP can't figure
out how many real users sit behind an IP address how can the SP will do
the capacity planning to put enough memory to handle the translations and
the states needed. No way! Ok NAT444 may help when you can figure out how
many real users sit behind an address like a smartphone... but even
smartphones n

ow can have a router function and provide access to many users and each
user may watch many video.... The NAT444 will have to be provisioned with
enough memory to manage all the states....d

But NAT444 is good new for hackers, DoS attacks will never be easier and
with the translation logs as the only means to track users, hackers can
sleep easy!

No enterprise will never want to get connected via NAT444...

With NAT444 you cannot run anymore a server using s static translation as
we do with NAT!

With NAT444, it the user configures an IPv5 private address which is being
used between the CPE and the SP we have a duplicate address issue.

With NAT444 is two customers are locally connected, NAT of the source
address must be performed otherwise the packet will get back to the
customer with a private source address which will be filtered by the
customer firewall.

With NAT444, if the LSN reload, all the customers will have to restart
their sessions...

NAT444 has not been tested since 1996... Mabe the 6BONE was not heavily
tested but some tests have been run with high load of IPv6 traffic and has
shown that IPv6 was no problem/

I have been a dev-tester for 6 years so don't tell me that IPv6 was never
tested under very loaded traffic... It is too funny :-)
 
NAT444 is a much better, scalable and proven solution than IPv6, there is
no doubt about his!

Fred


>
>The mobile provider does Nat44 in their core and the android phone or mifi
>does nat44 providing addresses to the tethered clients / WLAN
>
>Cb
>>
>>
>>
>> >
>> >--
>> >
>> >               "We could put the whole Internet into a book."
>> >               "Too practical."
>> >
>> >       Breadth of IT experience, and depth of knowledge in the DNS.
>> >       Yours for the right price.  :)  http://SupersetSolutions.com/
>> >
>> >_______________________________________________
>> >Ipv6hackers mailing list
>> >Ipv6hackers at lists.si6networks.com
>> >http://lists.si6networks.com/listinfo/ipv6hackers
>>
>>
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>_______________________________________________
>Ipv6hackers mailing list
>Ipv6hackers at lists.si6networks.com
>http://lists.si6networks.com/listinfo/ipv6hackers





More information about the Ipv6hackers mailing list