People who never learned (much) about IPv6 seem to be afraid of it > What's interesting is how much resistance there is to adding IPv6 which comes from entrenched IT. Too bad, so sad, you're waiting another week. Fixed in 1-3 days after the CTO/CIO and some SVPs approve it (and maybe yells at people for wasting their time). Emergency change request gets filed to fix. The firewall person types in the wrong port. These changes are only done afterhours, partly because of outsourcing latency, partly because of regulations. Networks outsources the request to their global services team in India/Phillippines/China/Brazil since it's literally a single command, but they are done in bulk. subject to serious fines if the data therein fails audit). A cohort of VPs somewhere need to approve it if those subnets are "production" (i.e. Security needs to approve it before Networks can do it (usually). "DevOps" gets a request from an app team to open a port between subnet A and subnet B.ĭevOps asks Networks to do it. Sysadmins/server engineering/DevOps/SRE, Networks, and Security are usually hard silos at big companies. Yeah, incorrect firewall rules are a HUGE problem at super large companies that aren't doing infra-as-code at scale yet. Whatever actually replaces IPv4 will either need to be 10x better than IPv4 in every way or be a completely transparent migration that works with IPv4 "but with more addresses". It introduces too many problems and offers too little benefit. Honestly I just don't really see IPv6 replacing IPv4. NAT isn't perfect but it solves a lot of problems. At least with NAT a "script kiddy" grade attacker won't see what is behind your router. IPv6 is cool and all, but no consumer gear sets it up even remotely secure. I have no interest in letting random IoT devices expose open ports to the entire world (by default).
I have no interest in outsiders being able to ping hosts on my network or even know of their existence. Hell I'm pretty sure comcast's cable modem doesn't even have IPv6 firewall capabilities and if they do it is default wide open.
it is never gonna fly for anybody who isn't proficient with "real" routers (i.e.
If I have to SSH into the router and treat it like a "real" router to set up IPv6 firewall rules. > you now have more tools to shoot yourself in the foot withĪnd the tools for managing IPv6 firewall rules suck on "SMB grade" stuff like ubiquiti and are virtually non-existant on any consumer grade router. What's really interesting is how many of these "we fear change" IT people don't realize they're already using IPv6 on their phones every day, with a majority of the sites they visit. Adding IPv6 has myriad advantages - no need for NAT, proxies or port forwards to share addresses, no need to renumber networks if allocations or upstream change, redundancy, valid security-through-obscurity (imagine port scanning a /64 looking for open ssh ports). My favorite is, "we have no record of people trying to use IPv6" - yes, that's real :D People who never learned (much) about IPv6 seem to be afraid of it and often respond with some variant or another of "don't fix it if it ain't broke", or "it's extra work for no return", or "we'll have to pay licensing to add IPv6 because we bought crap routers, so let's not", et cetera. What's interesting is how much resistance there is to adding IPv6 which comes from entrenched IT. I set up IPv6 on all my servers in 2001 and thought we'd all be on IPv6 in just a couple of years :P It's good to wonder publicly and have a discussion!
0 kommentar(er)
