Wildcards in reverse DNS
Mark_Andrews at isc.org
Sun Jan 7 20:43:00 UTC 2007
> Danny Mayer wrote:
> > Sten Carlsen wrote:
> >> Mark Andrews wrote:
> >>> This is a classic example of applying a IPv4 solution to a
> >>> IPv6 network.
> >> This is very likely, it probably takes some time and effort with the
> >> thing in real life too get a feel for what is possible and what is
> >> "natural" for any new system. This underlines that transition from IPv4
> >> to IPv6 is not just more bits, but rather completely new ways to think.
> >>> I really don't see why people insist that they need port /
> >>> address translation.
> >> I don't necessarily want that, I want the effects that it gives in an
> >> IPv4 network. Isolation and hiding. If other mechanisms, not known in
> >> IPv4 networks, can provide that, it is fine with me.
> > NAT breaks NTP authentication, among other things. I wouldn't be
> > surprised if it also breaks DNSSEC.
> I don't see NAT as the wondercure of all times. It breaks a number of
> things, but it also by default breaks access to internal PCs that should
> not be accessible from outside. I.e. the default is that automatic
> probes will miss the unprotected systems; one less infection risk. It
> does not provide real protection against real attacks, a correctly
> configured firewall would to a much higher degree.
> NAT has good and bad sides. For most private users I will say that the
> good sides outweigh the bad sides, YMMV.
An a stateful firewall will do exactly the same thing.
A nat is a stateful firewall + port/address modification.
Unless you are doing one-to-one NAT, a nat box has to keep
state to enable it to send packets back to the originating
host. That is a super-set of the state a stateful firewall
would have to provide exactly the same protection.
> >> For some things I want that they can initiate a connection to the net,
> >> but are hidden so NO connection can be made from the outside to those
> >> devices. How can that be achieved without NAT in an IPv6 system?
> >>> A statefull firewall is just as good
> >>> at providing protection and doesn't have the down sides
> >>> introduced as a side effect of the port / address translation.
> >> I will take your word for that, I still feel there might be more risk.
> >> That could be missing time and effort on my side. On the other side that
> >> suggests a lot of misconfigured firewalls in the future until people
> >> learn how to do it. "A hackers paradise"?
> > Nothing is going to fix misconfigured firewalls except the people
> > responsible for maintaining them. If the firewall is misconfigured don't
> > expect the NAT to be set up properly either. This very much sounds like
> > security by ignorance. How are you safer?
> I am not thinking about sites with a dedicated and knowledgeable system
> administrator, here I can expect understanding and proper setup. I am
> thinking about all the ADSL connections where people hardly will be
> aware of what things they have that can acess the net in the future.
Many of the botnets today are created by using automatic probes that
> infect unprotected PCs without users knowing about it.
> Any small router you buy for about $50 will by default make access by
> automatic probes impossible, you have to manually misconfigure it to
> have that risk.
No. A router does not do that. A router w/ firewall does than.
A route w/ NAT does that. A router add zero protection.
This is a classic case of the consumer no knowing what is
being sold to them.
> The knowledge and effort it takes to setup a firewall is much greater
> than what I expect the normal ADSL user to have. I expect many of the
> future appliances to try to open a hole in the firewall for themselves
> so they can communicate with their maker for updates and market
> research, also opening for hackers, I will not expect the things to
> allow me to set their network configuration manually the risk of me
> breaking what the manufacturer wants to do is far too big; will future
> botnets be composed from refrigerators?
What a load of hogwash. SOHO NAT vendors could easily make a
equivalent SOHO firewall with almost the same gui as the NAT
box (default out any keep-state, in none).
> >>> If you don't want there to be any path to the equipment
> >>> don't let it use a global prefix. Use a link local or a
> >>> locally assigned local addresses if you have more than one
> >>> internal network.
> >> Does that mean that a local DHCP server is needed? Or is a fixed address
> >> the best way?
DHCP can provide fixed or dynamic addresses. It's all a matter
of configuration. For IPv6 you have the choice of fixed, DHCP
(fixed or dynamic) or autoconf (unknown fixed). Autoconf also
handles adding or removal of prefixes.
> >> This is an example of what could be the misunderstandings that create
> >> this kind of debate, it also underlines that the transition is NOT
> >> simple as has been said.
> > It really is that simple. Programmers have so substitute some slightly
> > different functions and structures for the old IPv4 only structures but
> > the new ones handle both transparently.
> I was thinking of normal peoples understanding, not programmers or
> admins. I worry that in too many cases functionality comes before
> security; everything works by default and you have to close holes by
> yourself, not the other way round. Windows is a good example for all to
> follow it would seem; functions break holes in firewalls if they want
> them without asking users already now.
> >>> Remember a IPv6 node will often have 3 or more addresses
> >>> on each NIC.
> >> That worries me a bit, I guess that will resolve itself as IPv6 becomes
> >> more common in discussions.
> > Why? The different addresses just make routing easier.
> That is both good and bad, see above.
> > Danny
> Best regards
> Sten Carlsen
> No improvements come from shouting:
> "MALE BOVINE MANURE!!!"
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users