Re: [v6ops] Operational Consensus on deployment
Ted Lemon <ted.lemon@nominum.com> Tue, 05 August 2014 21:49 UTC
Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18D2D1B2BFC for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 14:49:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZbyK5MldYc0 for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 14:49:00 -0700 (PDT)
Received: from shell-too.nominum.com (shell-too.nominum.com [64.89.228.229]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 694F91B2BFE for <v6ops@ietf.org>; Tue, 5 Aug 2014 14:49:00 -0700 (PDT)
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 4013D1B839B for <v6ops@ietf.org>; Tue, 5 Aug 2014 14:49:00 -0700 (PDT)
Received: from webmail.nominum.com (cas-02.win.nominum.com [64.89.228.132]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTP id 1EB5A190043; Tue, 5 Aug 2014 14:49:00 -0700 (PDT)
Received: from [10.0.10.40] (71.233.43.215) by CAS-02.WIN.NOMINUM.COM (192.168.1.101) with Microsoft SMTP Server (TLS) id 14.3.195.1; Tue, 5 Aug 2014 14:49:00 -0700
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Ted Lemon <ted.lemon@nominum.com>
In-Reply-To: <m1XEmSi-0000A8C@stereo.hq.phicoh.net>
Date: Tue, 05 Aug 2014 17:48:17 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <2555EF68-9FCC-4C1C-9B54-39A69D090087@nominum.com>
References: <256EAE0B-5C11-42C7-BCA1-CEC7EE6713A7@cisco.com> <53DFD634.4020304@fud.no> <DE860EBC-171E-46E7-A3B6-5E8B79A453CC@cisco.com> <53DFEC6C.3010707@gmail.com> <CAD6AjGRUWxT5XiNxMi_S5VgYtGMLb_FVHXN-ZfGpcY=geix15g@mail.gmail.com> <53E06AC9.9010908@fud.no> <4F7D76F6-BD81-453B-94DC-A3C3DFF68505@delong.com> <8600C096-37D0-4651-92C1-BCFDBA674433@nominum.com> <CAD6AjGTBfyT-zNDJtBKCNtRxd=Hi07678Sr_-HgSGYbjAiF3Tg@mail.gmail.com> <C5281716-DC04-42E6-AC82-0D53E5DA0284@nominum.com> <53E1236A.605@fud.no> <m1XEkJJ-0000BuC@stereo.hq.phicoh.net> <53E13A3B.4050303@fud.no> <m1XEmSi-0000A8C@stereo.hq.phicoh.net>
To: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
X-Mailer: Apple Mail (2.1878.6)
X-Originating-IP: [71.233.43.215]
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/zV0K6Ae5qNRbYpdmzX5JH9cszd0
Cc: Tore Anderson <tore@fud.no>, IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] Operational Consensus on deployment
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 21:49:02 -0000
On Aug 5, 2014, at 5:39 PM, Philip Homburg <pch-v6ops-3@u-1.phicoh.com> wrote: >> Presumably you'll want a firewall inside of the SIIT gateway, to deal >> with IPv6 ACLs? If so, you only need one firewall and only one ACL. If >> you previously had an ACL that said something like in iptables syntax, >> where 192.0.2.100 is the trusted IP address you want to allow: >> >> --source 192.0.2.100 --protocol tcp --dport ssh -j ACCEPT >> >> ...with SIIT, you'd instead do, assuming 64:ff9b::/96 is the translation >> prefix): >> >> --source 64:ff9b::192.0.2.100 --protocol tcp --dport ssh -j ACCEPT > > Now we wait for somebody to type 64:ff9b::192.0.2.0/24 instead of > 64:ff9b::192.0.2.0/120. > > Also, this not in canonical form. So any program that outputs these address > uses a different syntax. Try grepping your firewall config for an address > you see in tcpdump and not finding it. > > And I wonder howmany people understand this notation at all. Gnaagh! I really hope people aren't configuring their firewalls this way, but I don't have much operational involvement with firewalls, so maybe they do? This seems hopelessly primitive and error-prone.
- [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Mark Andrews
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] Operational Consensus on deployment Czerwonka Michał 1 - Hurt
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment William F. Maton Sotomayor
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Ted Lemon
- Re: [v6ops] Operational Consensus on deployment Heatley, Nick
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Czerwonka Michał 1 - Hurt
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Ted Lemon
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roaming… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Ted Lemon
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Mikael Abrahamsson
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roaming… Tore Anderson
- Re: [v6ops] IPv4v6 roaming Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Vízdal Aleš
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Vízdal Aleš
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Tore Anderson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Tore Anderson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… holger.metschulat
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Lee Howard
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ca By
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Dave Michaud
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ca By
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Jouni
- Re: [v6ops] Operational Consensus on deployment Eric Vyncke (evyncke)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Dave Michaud
- Re: [v6ops] Operational Consensus on deployment Lorenzo Colitti
- Re: [v6ops] Operational Consensus on deployment Kossut Tomasz - Hurt
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Geir Egeland
- Re: [v6ops] Operational Consensus on deployment Ray Hunter
- Re: [v6ops] Operational Consensus on deployment Heatley, Nick
- Re: [v6ops] Operational Consensus on deployment Mark Andrews
- Re: [v6ops] Operational Consensus on deployment George Michaelson
- Re: [v6ops] Operational Consensus on deployment Heatley, Nick
- Re: [v6ops] Operational Consensus on deployment Kossut Tomasz - Hurt
- Re: [v6ops] Operational Consensus on deployment Eric Vyncke (evyncke)
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment James Woodyatt
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment James Woodyatt
- Re: [v6ops] Operational Consensus on deployment Mark Andrews