[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Adam Tauno Williams awilliam at whitemice.org
Mon Dec 6 14:42:33 UTC 2010


On Mon, 2010-12-06 at 08:29 -0600, Todd Rinaldo wrote: 
> On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
> > On 05/12/10 14:21, Tom H wrote:
> >> On Sun, Dec 5, 2010 at 8:13 AM, RedShift <redshift at pandora.be> wrote:
> >>> On 12/05/10 12:50, Rudi Ahlers wrote:
> >>>> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm),
> >>> Haven't switched yet, I have IPv6 at home using sixxs.
> >>> I can't even figure out what address ranges are reserved for 
> >> private use, is there even such a concept in IPv6? 
> >> I think that site-local ("fec0:: - fef::") is the ipv6
> >> more-or-less-equivalent of ipv4 private addresses.
> > Yes, that's correct and it is deprecated.
> > <http://www.ietf.org/rfc/rfc3879.txt>
> > With IPv6 there is plenty of addresses for everyone so you basically use
> > your own assigned official IPv6 address space and setup your own private
> > /64 net and block that subnet in your firewalls.
> > Another thing, there is no NAT and it will not be implemented as we know
> > it in IPv4.  To call NAT a security feature is also a faulty
> > understanding.  As NAT only prevents access from outside to some
> > computer inside a network which is NAT'ed.  This restriction and
> > filtering is the task of the firewall anyway, which does the NAT anyway.
> > NAT basically just breaks a lot of protocols and enforces complex
> > firewalls which needs to understand a lot of different protocols to be
> > able to do things correctly.  Which often do not work as well as it could.
> I've heard this before but It's always confused me. Admittedly I haven't had a 
> chance to look at the spec. If we're saying that everyone's going to have the 
> same private subnet, then we're saying that all the private subnets are going 
> to have to be NAT-ed aren't they?

I'm not sure what is confusing you.  There is *NO PRIVATE SUBNET*; at
least in terms of addressing.  There is no equivalent to 192.168.x.x,
10.x.x.x, ... in IPv6.  There is no need for such a hack.

So "everyone's going to have the  same private subnet"?

No - nobody is going to have a private subnet.

"all the private subnets are going to have to be NAT-ed aren't they?"

No - no subnet will be NAT'd.

Privacy is an effect of provisioning, not of addressing.  [Provisioning
as in - you install a firewall].   This has *always* been true.  NAT has
just confused people into *thinking* [incorrectly] that there was a link
[which there was and is *not*] between subnets and "privacy".  Security
is provided by firewalls, which is totally absolutely utterly and
completely separate from NAT (although in IPv4 world NAT and firewall
are typically provided by the same device - that doesn't make two
functions into one function). 

When dealing with IPv6 it is the disambiguation of these two concepts
[firewall and NAT], in the wetware, that is probably the biggest hurdle.






More information about the CentOS mailing list