[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

David Sommerseth dazo at users.sourceforge.net
Mon Dec 6 14:59:05 UTC 2010


On 06/12/10 15:29, Todd Rinaldo wrote:
> 
> On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
> 
>> On 05/12/10 14:21, Tom H wrote:
>>> On Sun, Dec 5, 2010 at 8:13 AM, RedShift <redshift at pandora.be> wrote:
>>>> On 12/05/10 12:50, Rudi Ahlers wrote:
>>>>>
>>>>> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm),
>>>>
>>>> Haven't switched yet, I have IPv6 at home using sixxs.
>>>>
>>>> I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
>>>
>>> I think that site-local ("fec0:: - fef::") is the ipv6
>>> more-or-less-equivalent of ipv4 private addresses.
>>
>> Yes, that's correct and it is deprecated.
>> <http://www.ietf.org/rfc/rfc3879.txt>
>>
>> With IPv6 there is plenty of addresses for everyone so you basically use
>> your own assigned official IPv6 address space and setup your own private
>> /64 net and block that subnet in your firewalls.
>>
>> Another thing, there is no NAT and it will not be implemented as we know
>> it in IPv4.  To call NAT a security feature is also a faulty
>> understanding.  As NAT only prevents access from outside to some
>> computer inside a network which is NAT'ed.  This restriction and
>> filtering is the task of the firewall anyway, which does the NAT anyway.
>>
>> NAT basically just breaks a lot of protocols and enforces complex
>> firewalls which needs to understand a lot of different protocols to be
>> able to do things correctly.  Which often do not work as well as it could.
>>
> 
> I've heard this before but It's always confused me. Admittedly I
> haven't had a chance to look at the spec. If we're saying that
> everyone's going to have the same private subnet, then we're saying
> that all the private subnets are going to have to be NAT-ed
> aren't they?

This can be a bit confusing, especially if you see this with "IPv4
eyes".  In IPv6, it basically is no such things as a private subnet (range).

When you contact your ISP to get a IPv6 subnet, they will most probably
give you a /48 network.  That means you will have a IPv6 prefix which is
unique.  That is a reference to all _your_ IPv6 networks.

Then you will normally segment this /48 subnet into more /64 networks.
A /48 subnet gives you 65536 /64 networks.  So the IPv6 prefix will be
something like:

   aaaa:aaaa:aaaa:bbbb::/64

the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and
this is the first 48bits of the IPv6 address.  The 'bbbb' part is up to
you to decide what will be, and that's the next 16 bits of the address
scope.  So 48 + 16 = 64 bits.   And 2^16 = 65536.

And this is all you need to know about IPv6 addressing.  Really!  That's
it.  No network addresses, no broadcast addresses.  Just pure usable
IPv6 addresses.

(You may of course make even more subnets below /64, but that's usually
not recommended at - especially with auto-configured networks)

So then ... the next phase.  As everyone who gets a /48 nets should have
it flexible enough to setup private networks, the firewall just needs to
block completely in-going traffic to a /64 net defined by the admins as
private.  It can further be decided if this /64 net should have access
to IPv6 addresses outside this local network.  Again this is just a
firewall rule and nothing more - allow or reject/drop.

And then, the former proposed site-local subnet makes pretty much no
sense, as IPv6 does not support NAT.  As this network would not be able
to communicate across a router/firewall.  This subnet (fec0:: - fef::)
should not be routed anywhere.  And without NAT, it can't escape the
subnet at all anyway.

So, spending one or two or 100s /64 subnets with public IPv6 addresses
which is completely blocked in a firewall will serve exactly the same
purpose as a site-local subnet.  But this /64 net may get access to the
Internet *if* allowed by the firewall.  This is not possible with
site-local at all.  And of course, this is without NAT in addition.

I hope this made it a little bit clearer.


kind regards,

David Sommerseth




More information about the CentOS mailing list