On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell rmcconne@lightlink.com wrote:
David Sommerseth wrote:
On 06/12/10 15:29, Todd Rinaldo wrote:
On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
On 05/12/10 14:21, Tom H wrote:
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote:
On 12/05/10 12:50, Rudi Ahlers wrote: > (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), Haven't switched yet, I have IPv6 at home using sixxs.
I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses.
Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt
With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls.
Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway.
NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could.
I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they?
This can be a bit confusing, especially if you see this with "IPv4 eyes". In IPv6, it basically is no such things as a private subnet (range).
When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks.
Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like:
aaaa:aaaa:aaaa:bbbb::/64
the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The 'bbbb' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536.
And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses.
(You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks)
So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop.
And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway.
So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition.
I hope this made it a little bit clearer.
Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure.
Bob McConnell N2SPP
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
Ryan