#IPv6 rocks. Flawless physical migration with only a very minor downtime :-).
Thinking about networks as segregated network segments is just SO MUCH easier, this time around, I went #IPv6only and didn't even bother with setting up IPv4.
@goetz@feld afaik, yes. But I don't use DHCPv6 beyond as a client for prefix delegation from ISP, internally I use SLAAC with the privacy extensions disabled for machines.
This means I just assign and route the /64s I need, and apply changes to the DNS zones, which I manage with the prefixes as a variable.
Then, ofc, firewalls usually have to be checked a tad, but provisioning takes care of the pf macros :-) and of programs that need the IP addresses (like pg_hba to limit hosts).
honestly I prefer the same approach AWS uses here with RDS Postgres servers -- pg_hba is configured to allow connections from everywhere, then just limit access to the database with the firewall. Trying to add source host based ACL for each database on the postgres instance is kinda stupid
Yes, in certain cases it can be an overhead, but it really is just layered security. Should sth be funky with my firewall, each database can still only be accessed by their allowed hosts, also using authentication.
Of course this depends on the nature of the service, but I'd argue most of the time, the list of hosts that need access to a given database is pretty static and short.
I do prefer adding effective layers of security for little overhead :-).
Add comment