Path: csiph.com!usenet.pasdenom.info!news.albasani.net!newsfeed.freenet.ag!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.067
X-Spam-Evidence: '*H*': 0.87; '*S*': 0.00; 'subject:Python': 0.06; 'explicit': 0.07; 'admins': 0.09; 'arbitrarily': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'nodes': 0.16; 'roy': 0.16; 'somewhere.': 0.16; 'wrote:': 0.18; '(not': 0.18; 'obviously': 0.18; '>>>': 0.22; 'admin': 0.22; 'lets': 0.24; 'header:In-Reply-To:1': 0.27; 'point': 0.28; 'specifically': 0.29; 'chris': 0.29; 'am,': 0.29; 'technology.': 0.30; 'message-id:@mail.gmail.com': 0.30; '(which': 0.31; 'coded': 0.31; "d'aprano": 0.31; 'globally': 0.31; 'steven': 0.31; 'file': 0.32; 'there.': 0.32; 'whom': 0.33; 'implemented': 0.33; "can't": 0.35; 'received:209.85': 0.35; 'received:209.85.220': 0.35; 'beyond': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'controls': 0.36; 'entry': 0.36; 'behind': 0.37; 'two': 0.37; 'received:209': 0.37; 'being': 0.38; 'server': 0.38; 'to:addr :python-list': 0.38; 'pm,': 0.38; 'rather': 0.38; 'anything': 0.39; 'itself': 0.39; 'to:addr:python.org': 0.39; 'even': 0.60; 'most': 0.60; 'course': 0.61; 'more': 0.64; 'forward': 0.65; '26,': 0.68; 'smith': 0.68; 'secure': 0.71; 'firewalls': 0.84; 'it"': 0.84; 'hands': 0.96; '2013': 0.98
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=+tAVhtgOhlFYK6k8dzClU8P/11L3oQRMIB/D10yqH7g=; b=wJyP2zNbxHG3LVVDREdT48PVgXHXonqlZ+JfIsKpJAhbtYAidCZ3oILvBHiNFIWOdf YGQ3tXqkoH3hy4SlR9nnm3uYMiE6QZAJOnHK69K65ys7P2ErDLqVvU7Nzb4GccSTb4ZA E3P9n9llDRIFNKJLfq/JZio4I2CBp5P8E1Bne+IKUivPZBxtv0tTHXadBPZtfmAFJB4Q zOiewbe7VUrD5WlP4uv0s80sclYfiIUodmB0gSzKQkdfX2+n2AtcZC2qhVG64ol3hbCw SpBt0UIEECzhzqp/X9fuiPuVxzmw80Y+5j6pTH0S6W88opwI0c4jEPuANSjnqfooHEPL qYMg==
MIME-Version: 1.0
X-Received: by 10.52.117.16 with SMTP id ka16mr7630788vdb.43.1369543041841; Sat, 25 May 2013 21:37:21 -0700 (PDT)
In-Reply-To: <51a18986$0$30002$c3e8da3$5496439d@news.astraweb.com>
References: <27969350-4dd8-4afa-881a-b4a2364b3cf1@googlegroups.com> <roy-73518B.23353224052013@news.panix.com> <mailman.2102.1369453723.3114.python-list@python.org> <knpm5i$qls$1@news1.carnet.hr> <mailman.2115.1369464127.3114.python-list@python.org> <51a0caac$0$30002$c3e8da3$5496439d@news.astraweb.com> <roy-3B8F45.11301825052013@news.panix.com> <7cd17be8-d455-4db8-b8d0-ccc757db5cff@googlegroups.com> <roy-3B69E7.21544325052013@news.panix.com> <mailman.2155.1369533497.3114.python-list@python.org> <51a18986$0$30002$c3e8da3$5496439d@news.astraweb.com>
Date: Sun, 26 May 2013 14:37:21 +1000
Subject: Re: Python Magazine
From: Chris Angelico <rosuav@gmail.com>
To: python-list@python.org
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.2165.1369543044.3114.python-list@python.org>
Lines: 32
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1369543044 news.xs4all.nl 15918 [2001:888:2000:d::a6]:52431
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:46047

On Sun, May 26, 2013 at 2:03 PM, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> On Sun, 26 May 2013 11:58:09 +1000, Chris Angelico wrote:
>
>> On Sun, May 26, 2013 at 11:54 AM, Roy Smith <roy@panix.com> wrote:
>
>>> Of course not every IPv6 endpoint will be able to talk to every other
>>> IPv6 endpoint, even if the both have globally unique addresses.  But,
>>> the access controls will be implemented in firewalls with appropriately
>>> coded security policies.  Not as an accident of being behind a NAT box.
>>
>> To be more specific: The control of who can talk to whom is in the hands
>> of the admins of the two endpoints and the nodes in between, rather than
>> being arbitrarily in the hands of the technology. So I would be able to
>> talk to the file server across the street, but only IF its admin lets
>> me.
>
> Or when (not if) you find a vulnerability in the particular firewall.
> Make no mistake: the most secure entry point is the one that isn't there.

Packets have to get somewhere. If they come into this computer, it has
to deliberately forward them to that computer or they won't get there.
Same thing. All it takes is

# ip6tables -p FORWARD DROP

and you have a "secure unless I specifically permit it" router.
Obviously an attacker can target the router itself (which is exactly
the same as current situation), but can't attack anything beyond it
without an explicit forwarding rule (which is also exactly the same).

ChrisA