0·
5 months agoI might be misunderstanding. It’s definitely possible to have as many IPv4 aliases on an interface as you want with whatever routing preferences you want. Can you clarify?
I agree with your stance on deployment.
- 0 Posts
- 12 Comments
Joined 1 year ago
Cake day: July 6th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Given how large the address space is, it’s super easy to segregate out your networks to the nth degree and apply proper firewall rules.
There’s no reason your clients can’t have public, world routeable IPs as well as security.
Security via obfuscation isn’t security. It’s a crutch.
This article is biased to selling you more F5 equipment but is a reasonable summary:
https://www.f5.com/resources/white-papers/the-myth-of-network-address-translation-as-security
Long story short is that NAT is eggshell security and you should be relying on actual firewall rules (I wouldn’t recommend F5) instead of the implicit but not very good protections of NAT.
I can potentially see that scenario if your transit provider is giving you a dynamic prefix but I’ve never seen that in practice. The address space is so enormous there is no reason to.
Otherwise with either of RADVD or DHCPv6 the local routers should still be able to handle the traffic.
My home internal network (v6, SLAAC) with all publicly routeable addresses doesn’t break if I unplug my modem.
Hurricane Electric have a free tunnel broker that is super simple to set up if you really want to get on the bandwagon.
Though honestly I’d say the benefits of setting it up aren’t really worth the trouble unless you’re keen.
IMO they shouldn’t have allowed ULA as part of the standard. There’s no good reason for it.
It also means you no longer need the kludge that is NAT. Full E2E connectivity is really nice – though I’ve found some network admins dislike this idea because they’re so used to thinking about it differently or (mistakenly) think it adds to their security.
2·8 months agoYes.
Just beware of their reclamation policy:
Thanks for taking the time to respond.
I appreciate the info, but I am not a patient man. :)
Where on earth are you buying HP Mini machines for so cheap? Even the older gen seem to be 5 times as expensive as your estimate.
I agree. GeoIP was never a good idea, but here we are. Any ASN could be broken up and routed wherever (and changed) but it’s still far too prevalent.