Offensive? A self-evaluation might be in order here.
(non-directed)
Everyone is so damn "offended" these days. Grow a pair, live your life, and stop dragging everyone else down in the gutter. Enough of this me, me, me crap.
EXCELLENT POINT! I am so tired of people whining about being offended when someone simply states their opinion. Now if someone sets out to offend, then that is different, but difference of opinion should not construe offense.
NAT has also become an important part of the external security diapers that are used to protect Microsoft's Windows. Without a layer of NAT in the router's firewall, a Windows PC would expose all number of unsecured ports to public tampering. A remotely addressable Windows PC on the Internet will almost instantly become infected by malicious probes looking for its wide-open back doors.
WTF? So blame Windows for NAT?
NAT is pretty darned useful for other purposes than just security by obscurity and on networks that just might have unsecured Macs on them too. It's not like we've not seen exploits on Quicktime have we?
Which also turned out to be silly. Only the login details are sent encrypted, everything else is hanging out there as unencrypted traffic including your email, contacts, iDisk... yet this is apparently not a security issue?
These articles on network security are naïve in the extreme.
EXCELLENT POINT! I am so tired of people whining about being offended when someone simply states their opinion. Now if someone sets out to offend, then that is different, but difference of opinion should not construe offense.
When the article refers to a common (and very valid) security practice as "wearing diapers", I'd say it's fair to assume that the author intended offense. He's essentially calling us babies for implementing things that way.
Not that I took offense, because I'm not going to let an author as uninformed as the writer of this piece to offend me, but I'd be surprised to find out that the author wasn't trying to offend.
When the article refers to a common (and very valid) security practice as "wearing diapers", I'd say it's fair to assume that the author intended offense. He's essentially calling us babies for implementing things that way.
Not that I took offense, because I'm not going to let an author as uninformed as the writer of this piece to offend me, but I'd be surprised to find out that the author wasn't trying to offend.
You really think he was directing criticism of a system at indivual end users? hahahahahahahah
IPv6 itself definitely does not include IPsec as a protocol feature -- IPsec is layered on top of both IPv4 and IPv6. I haven't looked at the host RFCs for a while, so it's possible that host stacks are mandated to include IPsec when they support IPv6, but it's entirely possible (and in fact quite normal) for IPv6 traffic to be unencrypted. In fact, there is a fairly substantial cost to doing encryption, though AES is fast enough on modern CPUs to make this mostly transparent unless you've got a 100Mb connection or higher. However, the key negotiation is fairly expensive, and not necessarily something you want to do on every connection. In fact, servers would truly hate that -- it would force every server to include hardware crypto acceleration.
So it makes sense that you use IPsec when connection authenticity or confidentiality is an issue, but not necessarily all the time.
Sorry Mr. H. The possessive case of nouns that form the plural with "s" do have apostrophes. "All the boys' trousers were soiled after the football match."
wow. i feel like such a geek for having read all of this, and at the same time am glad i did. sheesh there are a lot of things i don't know.
i'm curious how this would effect many of the content delivery networks out there that are paid big bucks by sites serving rich media to route data on private networks and out of the cloud all together. are they using IPv6 already or would that be a selling point of using one CDN over another?
Sorry Mr. H. The possessive case of nouns that form the plural with "s" do have apostrophes. "All the boys' trousers were soiled after the football match."
You registered just for that?
I don't have room in my signature to be more explicit, but I'm talking about pure plurals. i.e. the plural of "apple" is "apples" not "apple's", the plural of "Mac" is "Macs", not "Mac's" etc. etc. People putting in an apostrophe every damn time they see an "s" at the end of a word drives me nuts!
Edit: huzzah, there's room in the signature after all. 'Tis now fixed
Apple's internal firewall is a joke, so tunneling IPv6 traffic is asking for some serious issues. Safari broswer and OS can fully run IPv6 unlike Windows Vista/IE junk. Oh besides only two or three US ISP vendors currently offer IPv6 services still going to loose performance do to running dual stacks.
What is wrong with Apple's firewall? Do you mean Leopard's application firewall or ipfw/ip6fw?
Vista can certainly "fully run IPv6."
How does running dual-stack make you lose performance? I run dual-stack every day at work, using a production IPv6 environment, and I don't see any performance problems.
When the article refers to a common (and very valid) security practice as "wearing diapers",
NAT is not a security feature. It is an address conservation system. If you want to prevent users from connecting to your machines, then use a firewall. I don't understand why people don't understand this simple concept.
NAT is pretty darned useful for other purposes than just security by obscurity and on networks that just might have unsecured Macs on them too. It's not like we've not seen exploits on Quicktime have we?
NAT is not a security feature, and it will not protect you from the recent QuickTime vulnerabilities. Those were local exploits. If an attacker could trick a user into loading a malicious media file, they could exploit the hole. NAT offers zero protection from this type of attack.
Apple has a few tricks up its sleeve for pushing IPv6 adoption, and many Mac users are already chin deep in the technology without even knowing it.
What? Apple has magic tricks ?
Sure not! Those tricks are basics of the IPv4/IPv6 convergence, written into the various IPv6 standards. IPv6 is out there since years. Real backbone provides provide IPv6 routing since years.
Only USA is slow to pick it up. IPv6 is already commonly deployed in Europe and Far East. The mechanisms built into IPv6 to let IPv6 contact IPv4 and to create automatic tunnels are there, built into many dual-stack routers already. Only the desktop's have not made use of it as most (especially american) ADSL & WLAN routers did not support IPv6.
It is very nice of Apple supporting IPv6 in their Airport family but Apple still brings out brand new devices which have no IPv6 support at all!
Yes, but the DNS itself is not doing the background work exclusively.
I don't follow.
Mac OS X does not come with a DHCPv6 client. It either uses stateless autoconfiguration or has a manually configured IPv6 address. On a home network, it's reasonable to assume that stateless autoconfig would be used.
Once you Mac has an IPv6 address, it will try to use it. Namely, it will send DNS queries for AAAA records to any machine you try to connect to (providing that the client software uses v6-aware resolver APIs).
The mechanisms built into IPv6 to let IPv6 contact IPv4 and to create automatic tunnels are there, built into many dual-stack routers already.
What mechanism would that be? I'm not familiar with one. IPv6 and IPv4 are not compatible on the wire. You either need to run dual-stack (give each machines both an IPv4 and an IPv6 address), or use some form of IPv4-to-IPv6 NAT or proxy.
Mac OS X does not come with a DHCPv6 client. It either uses stateless autoconfiguration or has a manually configured IPv6 address. On a home network, it's reasonable to assume that stateless autoconfig would be used.
Perhaps stateless autoconfig is reasonable for a small/home network, but it's *not* reasonable for a large campus environment.
The kick in the pants is that Apple is said to have no intention of supporting DHCPv6.
Comments
Offensive? A self-evaluation might be in order here.
(non-directed)
Everyone is so damn "offended" these days. Grow a pair, live your life, and stop dragging everyone else down in the gutter. Enough of this me, me, me crap.
EXCELLENT POINT! I am so tired of people whining about being offended when someone simply states their opinion. Now if someone sets out to offend, then that is different, but difference of opinion should not construe offense.
NAT has also become an important part of the external security diapers that are used to protect Microsoft's Windows. Without a layer of NAT in the router's firewall, a Windows PC would expose all number of unsecured ports to public tampering. A remotely addressable Windows PC on the Internet will almost instantly become infected by malicious probes looking for its wide-open back doors.
WTF? So blame Windows for NAT?
NAT is pretty darned useful for other purposes than just security by obscurity and on networks that just might have unsecured Macs on them too. It's not like we've not seen exploits on Quicktime have we?
but you guys said in a recent article http://www.appleinsider.com/articles...ps.html&page=2
Which also turned out to be silly. Only the login details are sent encrypted, everything else is hanging out there as unencrypted traffic including your email, contacts, iDisk... yet this is apparently not a security issue?
These articles on network security are naïve in the extreme.
EXCELLENT POINT! I am so tired of people whining about being offended when someone simply states their opinion. Now if someone sets out to offend, then that is different, but difference of opinion should not construe offense.
When the article refers to a common (and very valid) security practice as "wearing diapers", I'd say it's fair to assume that the author intended offense. He's essentially calling us babies for implementing things that way.
Not that I took offense, because I'm not going to let an author as uninformed as the writer of this piece to offend me, but I'd be surprised to find out that the author wasn't trying to offend.
Actually you can't have an address containing 255, since that is used as a mask value.
My computer is running right now with the address 172.255.255.10....
I wish people who "think they know something" just kept quiet.
M
When the article refers to a common (and very valid) security practice as "wearing diapers", I'd say it's fair to assume that the author intended offense. He's essentially calling us babies for implementing things that way.
Not that I took offense, because I'm not going to let an author as uninformed as the writer of this piece to offend me, but I'd be surprised to find out that the author wasn't trying to offend.
You really think he was directing criticism of a system at indivual end users? hahahahahahahah
I learned a lot of general IP stuff by reading this.
Thanks!
So it makes sense that you use IPsec when connection authenticity or confidentiality is an issue, but not necessarily all the time.
Plurals don't have apostrophes.
Sorry Mr. H. The possessive case of nouns that form the plural with "s" do have apostrophes. "All the boys' trousers were soiled after the football match."
i'm curious how this would effect many of the content delivery networks out there that are paid big bucks by sites serving rich media to route data on private networks and out of the cloud all together. are they using IPv6 already or would that be a selling point of using one CDN over another?
Sorry Mr. H. The possessive case of nouns that form the plural with "s" do have apostrophes. "All the boys' trousers were soiled after the football match."
You registered just for that?
I don't have room in my signature to be more explicit, but I'm talking about pure plurals. i.e. the plural of "apple" is "apples" not "apple's", the plural of "Mac" is "Macs", not "Mac's" etc. etc. People putting in an apostrophe every damn time they see an "s" at the end of a word drives me nuts!
Edit: huzzah, there's room in the signature after all. 'Tis now fixed
Apple's internal firewall is a joke, so tunneling IPv6 traffic is asking for some serious issues. Safari broswer and OS can fully run IPv6 unlike Windows Vista/IE junk. Oh besides only two or three US ISP vendors currently offer IPv6 services still going to loose performance do to running dual stacks.
What is wrong with Apple's firewall? Do you mean Leopard's application firewall or ipfw/ip6fw?
Vista can certainly "fully run IPv6."
How does running dual-stack make you lose performance? I run dual-stack every day at work, using a production IPv6 environment, and I don't see any performance problems.
When the article refers to a common (and very valid) security practice as "wearing diapers",
NAT is not a security feature. It is an address conservation system. If you want to prevent users from connecting to your machines, then use a firewall. I don't understand why people don't understand this simple concept.
NAT is pretty darned useful for other purposes than just security by obscurity and on networks that just might have unsecured Macs on them too. It's not like we've not seen exploits on Quicktime have we?
NAT is not a security feature, and it will not protect you from the recent QuickTime vulnerabilities. Those were local exploits. If an attacker could trick a user into loading a malicious media file, they could exploit the hole. NAT offers zero protection from this type of attack.
Apple has a few tricks up its sleeve for pushing IPv6 adoption, and many Mac users are already chin deep in the technology without even knowing it.
What? Apple has magic tricks ?
Sure not! Those tricks are basics of the IPv4/IPv6 convergence, written into the various IPv6 standards. IPv6 is out there since years. Real backbone provides provide IPv6 routing since years.
Only USA is slow to pick it up. IPv6 is already commonly deployed in Europe and Far East. The mechanisms built into IPv6 to let IPv6 contact IPv4 and to create automatic tunnels are there, built into many dual-stack routers already. Only the desktop's have not made use of it as most (especially american) ADSL & WLAN routers did not support IPv6.
It is very nice of Apple supporting IPv6 in their Airport family but Apple still brings out brand new devices which have no IPv6 support at all!
([ No IPv6 on iPhone 3G & iPhone]).
So saying Apple is brave doing something brand new is wrong. Apple just does what it has to do and even then only halfhearted.
Yes, but the DNS itself is not doing the background work exclusively.
I don't follow.
Mac OS X does not come with a DHCPv6 client. It either uses stateless autoconfiguration or has a manually configured IPv6 address. On a home network, it's reasonable to assume that stateless autoconfig would be used.
Once you Mac has an IPv6 address, it will try to use it. Namely, it will send DNS queries for AAAA records to any machine you try to connect to (providing that the client software uses v6-aware resolver APIs).
The mechanisms built into IPv6 to let IPv6 contact IPv4 and to create automatic tunnels are there, built into many dual-stack routers already.
What mechanism would that be? I'm not familiar with one. IPv6 and IPv4 are not compatible on the wire. You either need to run dual-stack (give each machines both an IPv4 and an IPv6 address), or use some form of IPv4-to-IPv6 NAT or proxy.
Mac OS X does not come with a DHCPv6 client. It either uses stateless autoconfiguration or has a manually configured IPv6 address. On a home network, it's reasonable to assume that stateless autoconfig would be used.
Perhaps stateless autoconfig is reasonable for a small/home network, but it's *not* reasonable for a large campus environment.
The kick in the pants is that Apple is said to have no intention of supporting DHCPv6.
About a year ago, apple reps were stating that it was unclear "when, or even *whether*, Apple products will contain DHCPv6 clients"
More recently, at the IETF in March, their decision NOT to include DHCPv6 support was stated more clearly.
I'm still looking for the quotation, but apparently, it's in the audio archives.
- Christopher Chin
Perhaps stateless autoconfig is reasonable for a small/home network, but it's *not* reasonable for a large campus environment.
I agree with you. OS X needs DHCPv6 support.
I was responding to the original poster, who seemed confused about the relation between DHCPv6 and DNS.