[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Bob McConnell rmcconne at lightlink.com
Tue Dec 7 15:14:32 UTC 2010


Adam Tauno Williams wrote:
> On Mon, 2010-12-06 at 17:15 -0500, Bob McConnell wrote: 
>>> So, spending one or two or 100s /64 subnets with public IPv6 addresses
>>> which is completely blocked in a firewall will serve exactly the same
>>> purpose as a site-local subnet.  But this /64 net may get access to the
>>> Internet *if* allowed by the firewall.  This is not possible with
>>> site-local at all.  And of course, this is without NAT in addition.
>>> I hope this made it a little bit clearer.
>> Clear as mud. If I understand you correctly, I have to say that IPv6 is 
>> broken by design.
> 
> It isn't.
> 
>> I have a double handful of computers on my home 
>> network. Each of them needs access to the Internet to get updates to the 
>> OS and various applications. However, I do *NOT* want each and every one 
>> of them to show up as a unique address outside of my network.
> 
> Why?  Things will only work better.  NAT is not some magic sauce, it is
> a *HACK*.
> 
>> With IP4 
>> and m0n0wall running as the NAT, they are all translated to the single 
>> IP address that Roadrunner assigned to my Firewall. I need to continue 
>> that mapping. 
> 
> Why?  There is no reason.  You are wrong, you do *NOT* need to "continue
> that mapping".  That mapping is pointless.

No, it is not pointless. The first step in attacking any computer is 
finding the IP address. If that address is broadcast outside the 
firewall every time it talks to another computer, that step is simple. 
If it is hidden behind a firewall that does NAT, it becomes harder to 
find and that first step becomes much more difficult.

Currently, the only IP address transmitted outside my firewall is the 
one assigned to that firewall by the Roadrunner DHCP server. None of the 
addresses inside are exposed. That is a level of protection I am not 
prepared to give up. I don't care how much you evangelists blab about 
the new improved sauce, I still see it as a solution in search of a 
problem. As far as I am concerned, NAT already solved the address space 
problem.

Bob McConnell
N2SPP



More information about the CentOS mailing list