[ipv6hackers] IPv6 security (slides and training)

Cameron Byrne cb.list6 at gmail.com
Fri Nov 18 03:20:11 CET 2011


On Nov 17, 2011 5:09 PM, "fred bovy" <fred at fredbovy.com> wrote:
>
>
>
> Le 17/11/11 19:28, << Cameron Byrne >> <cb.list6 at gmail.com> a écrit :
>
> >On Nov 17, 2011 3:47 PM, "fred bovy" <fred at fredbovy.com> wrote:
> >>
> >>
> >>
> >> Le 12/11/11 01:09, << Doug Barton >> <dougb at dougbarton.us> a écrit :
> >>
> >> >On 11/11/2011 16:05, Douglas Otis wrote:
> >> >> On 11/11/11 2:40 PM, Doug Barton wrote:
> >> >>> > I think that the IPv4 folks will quickly have problems
> >> >>> > communicating with
> >> >>> >> their partners and customers running IPv6.
> >> >>>  ... which is one of the big motivations to not be a first-mover to
> >> >>>  IPv6 in the first place.
> >> >>>
> >> >> Doug,
> >> >>
> >> >> Disagree.  These partners also likely represent the land of
> >> >> opportunity.  Rather than receiving a growing portion of traffic
over
> >> >> LSNs, offering IPv6 connectivity conveys better information when
> >> >> deciding which exchanges to permit.  In addition, direct access
> >>better
> >> >> prevents MitM and broken double NAT issues.
> >> >
> >> >You guys keep missing the part where *I* agree with you.
> >> >
> >> >The question isn't, "Is IPv6 the right answer?" The question is, "Why
> >>do
> >> >so many organizations believe that CGN is a better answer?"
> >>
> >>
> >> REALLY???? So give me some references of SP who have deployed NAT444???
> >>
> >> I am curiousŠ
> >>
> >> Fred
> >>
> >>
> >
> >Many mobile providers provide mifi hotspots or hotspots on phones that
are
> >effectively Nat444.
>
>
> Ok Mobile provide wifi or hotspots... terrific!
> Maybe it can also help Internet Cafe but is there any enterprise
> interested to get connected via NAT444?
> But even home users will not benefit from NAT444.` If the SP can't figure
> out how many real users sit behind an IP address how can the SP will do
> the capacity planning to put enough memory to handle the translations and
> the states needed. No way! Ok NAT444 may help when you can figure out how
> many real users sit behind an address like a smartphone... but even
> smartphones n
>
> ow can have a router function and provide access to many users and each
> user may watch many video.... The NAT444 will have to be provisioned with
> enough memory to manage all the states....d
>
> But NAT444 is good new for hackers, DoS attacks will never be easier and
> with the translation logs as the only means to track users, hackers can
> sleep easy!
>
> No enterprise will never want to get connected via NAT444...
>

Maybe. Maybe not. Depends how you define enterprise.  Mobile enterprise
users are a key customer group of mobile hotspots. I am not saying it is
good, I am saying it exists at large scale.

> With NAT444 you cannot run anymore a server using s static translation as
> we do with NAT!
>

Right. That is why people have the "cloud" ...sarcasm ....

> With NAT444, it the user configures an IPv5 private address which is being
> used between the CPE and the SP we have a duplicate address issue.
>
> With NAT444 is two customers are locally connected, NAT of the source
> address must be performed otherwise the packet will get back to the
> customer with a private source address which will be filtered by the
> customer firewall.
>
> With NAT444, if the LSN reload, all the customers will have to restart
> their sessions...
>
> NAT444 has not been tested since 1996... Mabe the 6BONE was not heavily
> tested but some tests have been run with high load of IPv6 traffic and has
> shown that IPv6 was no problem/
>
> I have been a dev-tester for 6 years so don't tell me that IPv6 was never
> tested under very loaded traffic... It is too funny :-)
>
> NAT444 is a much better, scalable and proven solution than IPv6, there is
> no doubt about his!
>

If you are looking for an echo of "yes, Nat444 is bad and ipv6 is good".
You are probably in the right place.

Is there another point you are trying to make ?  Yes, ipv6 is technically
better than Nat444, but that alone does not get it on store shelves .....
Even the great NAT traversing p2p software Skype does not support ipv6
..... P2p is an obvious beneficial use case of ipv6, right ?   Yet, no
support.

Cb

Ps. In case it is not clear, I spend a lot of time deploying and advocating
for ipv6.

> Fred
>
>
> >
> >The mobile provider does Nat44 in their core and the android phone or
mifi
> >does nat44 providing addresses to the tethered clients / WLAN
> >
> >Cb
> >>
> >>
> >>
> >> >
> >> >--
> >> >
> >> >               "We could put the whole Internet into a book."
> >> >               "Too practical."
> >> >
> >> >       Breadth of IT experience, and depth of knowledge in the DNS.
> >> >       Yours for the right price.  :)  http://SupersetSolutions.com/
> >> >
> >> >_______________________________________________
> >> >Ipv6hackers mailing list
> >> >Ipv6hackers at lists.si6networks.com
> >> >http://lists.si6networks.com/listinfo/ipv6hackers
> >>
> >>
> >> _______________________________________________
> >> Ipv6hackers mailing list
> >> Ipv6hackers at lists.si6networks.com
> >> http://lists.si6networks.com/listinfo/ipv6hackers
> >_______________________________________________
> >Ipv6hackers mailing list
> >Ipv6hackers at lists.si6networks.com
> >http://lists.si6networks.com/listinfo/ipv6hackers
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers



More information about the Ipv6hackers mailing list