Home page logo

nanog logo nanog mailing list archives

Re: Common operational misconceptions
From: Ridwan Sami <rms2176 () columbia edu>
Date: Thu, 16 Feb 2012 21:35:03 -0500

End user devices will not benefit from end-to-end connectivity (e.g., globally routeable IPv4 addresses as opposed to being in a RFC1918 space behind NAT).

If I have a wildcard DNS record, *.example.edu AAAA 2001:db8::5, then adding in an explicit record, x.example.edu AAAA 2001:db8::5, will make no visible difference.

There is no legitimate reason for a user to use BitTorrent (someone will probably disagree with this).

Our organization is not running out of IPv4 addresses so we don't need IPv6. (Similarly: Our orginization is running out of IPv4 addresses so that's why we need IPv6.)

I can't use IPv6 because I still need to serve IPv4 clients.

Any IP that starts with 192 is a private IP and any IP that starts with 169 is a self-assigned.

Authentication by client IP address alone is sufficient.

Long passwords requiring letters, numbers, and symbols with a no-repeat policy and a 90-day maximum password age are very secure.

+1 for "We should drop all ICMP(v6) traffic." (Related: "I can't ping the box so it must be down.")

+1 for "NAT is security".

Regarding "DNS only uses UDP", I give out a technical test during interviews and one of the questions is basically "Use iptables to block incoming DNS traffic" and all applicants so far have only blocked UDP port 53.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]