[Cialug] Slightly OT - IPv6 sillyness
Thomas Kula
kula at tproa.net
Wed Jul 9 15:17:02 CDT 2014
On Wed, Jul 09, 2014 at 02:44:45PM -0500, L. V. Lammert wrote:
>
> > We're running IPv6 in production (have our own /48 from ARIN) and have
> > basic/sane firewall rules in place (ie. allow related inbound only). So
> > far, it's worked well with very little exposure.
> >
> Well, would not a private subnet mean *no* inbound exposure?
No, because the whole notion of private subnets is entirely one of
convention. It *normally* one that's pretty solid, but it's *not*
guaranteed. You're relying on people's software and network
configurations being mistake free. At some point, a packet with a
destination address in a private subnet is going to hit the external
interface(s) of your gateways, either maliciously or by accident. Are
you prepared for that now?
--
Thomas L. Kula | kula at tproa.net | http://kula.tproa.net/
More information about the Cialug
mailing list