[olug] VNC w/Qwest

[Luke -Jr]

On Monday 15 October 2007, Kevin wrote:
> On 10/15/07, Luke -Jr <luke at dashjr.org> wrote:
> > On Monday 15 October 2007, Christopher Cashell wrote:
> > > Like it or not, blocking ICMP at a border firewall is a valid technique
> > > for increasing security,
> >
> > I don't see how it is has any legitimate purpose.
>
> If you don't see the computer at that IP, you're not going to attack
> it, are you?

If I wanted to attack it anyway, yes.
Do spammers care if their targets exist or not?
Blocking ICMP only hurts the legitimate uses.

> > > and in this day of NAT and connection sharing/pooling, it's very often
> > > impossible to fully support Internet responding ICMP for all hosts on a
> > > network.
> >
> > The day of NAT is gone. In this day of 128-bit addressing, every device
> > should have a globally routable address and properly respond to ICMP.
>
> Should. However, it's very much alive. I just left one job that used
> NAT - both internally and in their clients - and went to work for
> another job that used NAT - both internally and in their clients. I go
> to home to a collection of NAT'd systems, since I don't want to pay my
> ISP for a second(or third, or fourth, or more) IP address.

That's why ISPs are supposed to issue at the very least /64 blocks.

> I don't see any systems that have a v6 IP address; they all have v4.

If the network was properly configured, they would have v6 IP addresses.

> Until the mass switchover to IPv6 occurs, NAT will live. And maybe
> even then, for the security. If the router doesn't know where to send
> your attack packet, it can't send it. Your NAT'd system is doubly
> safe; you have to hack the router before you can even begin to hack
> the end computer.

That's abusing NAT as a firewall. Let the firewall be the firewall.