Python Magazine
Chris Angelico
rosuav at gmail.com
Sun May 26 00:37:21 EDT 2013
On Sun, May 26, 2013 at 2:03 PM, Steven D'Aprano
<steve+comp.lang.python at pearwood.info> wrote:
> On Sun, 26 May 2013 11:58:09 +1000, Chris Angelico wrote:
>
>> On Sun, May 26, 2013 at 11:54 AM, Roy Smith <roy at panix.com> wrote:
>
>>> Of course not every IPv6 endpoint will be able to talk to every other
>>> IPv6 endpoint, even if the both have globally unique addresses. But,
>>> the access controls will be implemented in firewalls with appropriately
>>> coded security policies. Not as an accident of being behind a NAT box.
>>
>> To be more specific: The control of who can talk to whom is in the hands
>> of the admins of the two endpoints and the nodes in between, rather than
>> being arbitrarily in the hands of the technology. So I would be able to
>> talk to the file server across the street, but only IF its admin lets
>> me.
>
> Or when (not if) you find a vulnerability in the particular firewall.
> Make no mistake: the most secure entry point is the one that isn't there.
Packets have to get somewhere. If they come into this computer, it has
to deliberately forward them to that computer or they won't get there.
Same thing. All it takes is
# ip6tables -p FORWARD DROP
and you have a "secure unless I specifically permit it" router.
Obviously an attacker can target the router itself (which is exactly
the same as current situation), but can't attack anything beyond it
without an explicit forwarding rule (which is also exactly the same).
ChrisA
More information about the Python-list
mailing list