[GTALUG] NAT [was Re: Linux hardening question]

[D. Hugh Redelmeier]

| From: James Knott via talk <talk at gtalug.org>

| On 07/02/2017 10:29 AM, D. Hugh Redelmeier via talk wrote:

| > I'm not sure why I don't get IPv6 from Rogers.  I intend to look into
| > that -- probably I've misconfigured something on my gateway (a PC
| > running CentOS 7; the cable modem is running in bridge mode).
| 
| Call Rogers.  IPv6 is available to everyone, but some modems may have to
| be replaced.  If you use a separate router, it has to support DHCPv6-PD,
| as that's how the prefix is assigned.  I use a refurb computer running
| pfSense.

I just assume that dhclient knows how to do this.  But I'll have to
look into it.

My service is new (a month or two) and so my modem must be up to date.
I'm just using it as a modem, not a router.

Anyway, my starting point is seeing if my system is doing anything
wrong before I ask Rogers

| BTW, when I got a new modem, a little over a year ago, it was part of a
| bundle that, while providing pretty much the same service, cost me about
| $50 less per month.

Rogers and Bell are or were in a competitive spasm.  I get a gigabit
internet and modest cable TV for $100/month on a two year contract.

Bell offered a similar contract but there is no Fibre To The Home in
my neighbourhood.  Service is limited to VDSL2 at 50 megabits.

The competition seemed to have lessened at the moment.  Bell offers a
2 year contract with a good price for the first year.  The ads are
worded misleadingly so you won't notice that the second year is twice
as expensive.

In any case, neither Bell nor Rogers know how to route my IP addresses
into my home so I have to use a third party ISP that uses Bell's last
mile.  (I want two connections but only one routes my IPs.)

| > My IPv4 /24 is globally assigned.  That's not going to happen with
| > IPv6.
| 
| Actually it does.  I have no problem reaching computers on my LAN when
| I'm elsewhere.  With Rogers you can have a /64 to /56 all to yourself
| and they are all globally unique and reachable from anywhere in the world.

By "Globally assigned" I meant "Assigned to me directly by (the
precursor to) ARIN".  That makes it portable: I can keep the IP
addresses when I move between service providers.

Globally Routable addresses are now assigned by a process like
feudalism: IANA gives addresses to RIPE, ARIN, etc.
Internet companies on the backbone get addresses from RIPE, ARIN, etc
(depending on their geographic location).
ISPs get subassignments from their upstream providers.  Apply this
last rule recursively.

So if you, an edge user, gets IP addresses, they are not yours but are
merely loaned to you by upstream.

If your system has multiple internet connections and your upstreams
are willing to support this, perhaps you can get your own addresses
assigned (and an ASN -- something I don't have).

The smallest global assignment of IPv4 addresses is /24 (256
addresses).  This is to reduce the size of the routing tables in core
routers.  They even grumble about /24 being too small and
burdensome.

I don't know about IPv6.

| BTW, with the Rogers modem/routers in router mode, you only get a /64. 
| With a separate router, you can select any prefix size, between /64
| (2^64 addresses and /56 (2^72).

I did not know that.

| > I think that it is even worse that we don't use DNSSec.  The security
| > implications of not securing DNS seem enormous.
| 
| As I understand it, that's coming.  In another thread (possibly openSUSE
| list) I was discussing SMTP ports.  One person was claiming only port 25
| was required, with StartTLS, but due to security concerns, the move to
| full TLS & DNSSec is recommended.

Secure flows require encryption AND authentication.  email mostly
seems to travel over encrypted paths but the authentication appears to
be dodgy.  My nodes just have self-signed certificates and that seems
to work.

DNSSec could provide better authentication, with the right convention.
There surely are such conventions but I'm not versed in them.

But DNSSec is able to prevent all spoofing if DNS.  Except by someone
who can subvert the root.

| Back in the early days, it wasn't hard to get multiple addresses.

Do you mean /24 from ARIN or something smaller from your upstream?

| addresses.  Back in the dial up days, I originally had a static address,
| but one of the reasons for ISPs moving to dynamic addresses was to free
| them up, when someone disconnected.

Having a static IP address for an intermittent connection wasn't too
important.

Broadband for the masses, from Bell and Rogers, was meant for
consumers.  Static IP addresses were used for price discrimination:
organizations that wanted static IP addresses had to pay a lot more
even though it cost Bell and Rogers almost nothing.  Remember: since
broadband connections were essentially always on, they always used one
IP address.