About 90% of all incoming SPAM messages are rejected because of SPAM lists, and only about 10 % really go through the SPAM checker.
There are no lists for IPV6 spammers, so we have to start from square 1; I agree that blacklisting is not the best method against fighting SPAM, but it works, and with minimum impact on system resources.
Discussion on:
View:
Show:
I've written quite a bit about IPv6. There are even some pod casts at TR. Here is a start:
http://www.techrepublic.com/blog/10things/10-answers-to-your-questions-about-ipv6/443
http://www.techrepublic.com/blog/10things/10-answers-to-your-questions-about-ipv6/443
The part about how it is generated confuses me, is it no longer like IPV4 which was based on a subnet mask, is there no longer subnet masking?
Slayer, this Cisco post does a pretty decent job of explaining it:
https://supportforums.cisco.com/docs/DOC-17232
I've used it with clients and referred to it myself numerous times.
https://supportforums.cisco.com/docs/DOC-17232
I've used it with clients and referred to it myself numerous times.
Site ID's?
Is it just that, it works the same as before, and you only get 4 changable blocks from your ISP unless you NAT them.
I suspect many orgs are going to maintain the IpV4 in their internal networks, just for ease of maintenance. The typical 2 or 3 digit subnet is easier to remember.
Is it just that, it works the same as before, and you only get 4 changable blocks from your ISP unless you NAT them.
I suspect many orgs are going to maintain the IpV4 in their internal networks, just for ease of maintenance. The typical 2 or 3 digit subnet is easier to remember.
NAT is not Security, it is merely obfuscation of your address space. The real security is provided by a Statefull firewall with well engineered ACLs. In fact NAT tends to do more harm than good by creating the need for massively complex translation configurations that in themselves can be exploited.
I see that was mentioned in the article. I felt the same way before I wrote several articles about IPv6. Along the way an expert on IPv6, Joe Klein, (https://sites.google.com/site/ipv6security/) set me straight. NAT is not nor should be considered a security measure.
Pat, nice job linking to the Internet Society's "Deploy 360" website. There really is a wealth of information there concerning IPv6 and DNSSec.
http://www.internetsociety.org/deploy360/ipv6/
As you mentioned, I think it's safe to say that we're going to see IPv4 and IPv6 coexist side-by-side for quite some time. Once IPv6 "goes live" I am sure that several security concerns will arise (and be remedied), but unlike IPv4, security was taken into consideration from the ground up in IPv6's development. One consideration with IPv6 that should be taken into account is that it will increase the importance of DNS (which is already critical). If DNS isn't working properly, it's no big deal to type '192.168.10.20' but can you imagine typing '2001:470:1f10:deb::2'? Even with the IPv6 address abbreviation it would still be a pain.
With IPv6 coming up, 64-bit computing replacing 32-bit, and storage space getting cheaper and cheaper, the days are bright for information technology, and I for one am excited about the future.
http://www.internetsociety.org/deploy360/ipv6/
As you mentioned, I think it's safe to say that we're going to see IPv4 and IPv6 coexist side-by-side for quite some time. Once IPv6 "goes live" I am sure that several security concerns will arise (and be remedied), but unlike IPv4, security was taken into consideration from the ground up in IPv6's development. One consideration with IPv6 that should be taken into account is that it will increase the importance of DNS (which is already critical). If DNS isn't working properly, it's no big deal to type '192.168.10.20' but can you imagine typing '2001:470:1f10:deb::2'? Even with the IPv6 address abbreviation it would still be a pain.
With IPv6 coming up, 64-bit computing replacing 32-bit, and storage space getting cheaper and cheaper, the days are bright for information technology, and I for one am excited about the future.
I'm sorry to have to be so critical, but this is really a terrible article. Other comments have already addressed the mistaken assertion that NAT provides security; that's the tip of the iceberg. The author goes on to mention stateless address autoconfiguration (without apparently knowing enough to call it that) while asserting that IPv6 addresses will be manually assigned in numeric order - and uses a valid IPv6 prefix as his example, for extra credit. He trots out the ancient idea that IPv6 magically makes it easier to do IPsec and invents '4to6' as a transition mechanism. Going back to NAT he equates IPv6 link-local addresses with RFC1918. He asserts that the 'stack' is 'new and not mature' and uses router impersonation as an example, failing to note that the problem has been known about for years and that switch vendors have implemented fixes for years (Cisco since at least 2009, as an example). Sadly, throughout it all he does not mention any of the real issues that need to be considered - IPv6 support in management and security tools, mapping security rules from the v4 world to v6 without breaking critical v6 capabilities, dealing with privacy addresses and their impact on logging and event reporting, etc.
The second-to-last paragraph is a fine summary; perhaps it would have been better if the article were simply left at that. And in response to the final question: yes, people have been thinking of those snags for many years now. Don't assume that because you're late to the game, everyone else is too.
Bill.
The second-to-last paragraph is a fine summary; perhaps it would have been better if the article were simply left at that. And in response to the final question: yes, people have been thinking of those snags for many years now. Don't assume that because you're late to the game, everyone else is too.
Bill.
I have read a few of your blogs when I was researching my articles about IPv6. I have a favor to ask. TR member Slayer in an earlier comment was looking for some help with IPv6 information.
I haven't been actively involved in IPv6 training for a while now, but the folks at the Deploy360 program are collecting lots of good resources: http://www.internetsociety.org/deploy360/ipv6/
Hurricane Electric, one of the pioneers in v6 commercial networking has also taken on the task of educating users; they even have an informal certification program: http://ipv6.he.net/presentations.php and http://ipv6.he.net/certification/ You can use one of their tunnels to get a connection to the IPv6 Internet, if your current ISP doesn't yet support IPv6 (and sadly, most don't).
That should be plenty to get you up to speed on IPv6. . .
Hurricane Electric, one of the pioneers in v6 commercial networking has also taken on the task of educating users; they even have an informal certification program: http://ipv6.he.net/presentations.php and http://ipv6.he.net/certification/ You can use one of their tunnels to get a connection to the IPv6 Internet, if your current ISP doesn't yet support IPv6 (and sadly, most don't).
That should be plenty to get you up to speed on IPv6. . .
Might have to wait till Friday though 
. I tend to do my best learning on Fridays.
Those links should almost be in the original blog, they look like they will be very helpful.
. I tend to do my best learning on Fridays.Those links should almost be in the original blog, they look like they will be very helpful.
NAT is not security itself but home and other routers that use it also have a default deny built in so that just having a router blocks malicious traffic. Even if you only have one computer, you should have a router with NAT between you and the Internet. Unpatched computers should be behind a router until they are secure. I have had machines compromised during installation when I did not have it behind a router.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
