Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), I'm curios as who know whether everyone is ready for the changeover to IPV6?
Is anyone using it in production already, and what are your experiences with it?
Hi,
On Sun, 2010-12-05 at 13:50 +0200, Rudi Ahlers wrote:
Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), I'm curios as who know whether everyone is ready for the changeover to IPV6?
Is anyone using it in production already, and what are your experiences with it?
I have a dualstack (IPV4/IPV6) ADSL connection at home and all my machines are IPV6 connected, some in combination with IPV4, but I have a few IPV6 only machines. My mail and some websites are adressable with IPV6.
Is this really production ? Well, sort of :)
Regards,
Michel
On 12/05/10 12:50, Rudi Ahlers wrote:
Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), I'm curios as who know whether everyone is ready for the changeover to IPV6?
Is anyone using it in production already, and what are your experiences with it?
Haven't switched yet, I have IPv6 at home using sixxs.
IMO the slow adoption is caused by the complexity IPv6 brings. They should have just modified IP to use 128 bits addresses and leave the rest as is. For example, what is the use of a link scoped IPv6 address? Why would you want to assign an IP address to yourself that's of no use at all? I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? I know that IPv6 is supposed to allow every address to be publicly route-able but having your computers in private ranges and use NAT has big advantages towards security. And what about this arbitrarily chosen /64 subnet? So we're returning back to classfull routing? A provider won't be able to purchase a subnet greater than /64 from for example RIPE? Stateless auto-configuration is a useless feature, just like APIPA. I much prefer DHCP and thankfully it still exists for v6.
Glenn
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote:
On 12/05/10 12:50, Rudi Ahlers wrote:
(http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...),
Haven't switched yet, I have IPv6 at home using sixxs.
I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses.
On Sun, Dec 05, 2010 at 08:21:49AM -0500, Tom H wrote:
I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses.
fec0::/48 is site local; it'll never be routed to the internet.
I found http://www.litech.org/~jeff/private/ipv6primer/html/ very useful as a learning resource. I probably need to reread it again :-)
FWIW, I have a netbook (Windows 7) which does something interesting. I bring it up because it is something that may be applicable to CentOS. There is a tunneling pseudo-interface which is only IPv6; it has two addresses, the IPv6 address, and a local-link IPv6 address. The hardware interfaces also have two addresses, an IPv6 local-link back to the tunnel, and an IPv4 address given by the router. However, I am not sure that this is efficient for anything other than a light-use personal machine, and unfortunately I'm not sure what happens when it is connected to an IPv6 router! ): Attached is a screen shot since I'm not sure that my description gave it justice.
Rob
On Sun, Dec 5, 2010 at 8:21 AM, Tom H tomh0665@gmail.com wrote:
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote:
On 12/05/10 12:50, Rudi Ahlers wrote:
(
http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day... ),
Haven't switched yet, I have IPv6 at home using sixxs.
I can't even figure out what address ranges are reserved for private use,
is there even such a concept in IPv6?
I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 05/12/10 14:21, Tom H wrote:
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote:
On 12/05/10 12:50, Rudi Ahlers wrote:
(http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...),
Haven't switched yet, I have IPv6 at home using sixxs.
I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses.
Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt
With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls.
Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway.
NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could.
kind regards,
David Sommerseth
On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
On 05/12/10 14:21, Tom H wrote:
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote:
On 12/05/10 12:50, Rudi Ahlers wrote:
(http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...),
Haven't switched yet, I have IPv6 at home using sixxs.
I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses.
Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt
With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls.
Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway.
NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could.
I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they?
On Mon, 2010-12-06 at 08:29 -0600, Todd Rinaldo wrote:
On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
On 05/12/10 14:21, Tom H wrote:
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote:
On 12/05/10 12:50, Rudi Ahlers wrote:
(http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...),
Haven't switched yet, I have IPv6 at home using sixxs. I can't even figure out what address ranges are reserved for
private use, is there even such a concept in IPv6? I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses.
Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls. Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway. NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could.
I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they?
I'm not sure what is confusing you. There is *NO PRIVATE SUBNET*; at least in terms of addressing. There is no equivalent to 192.168.x.x, 10.x.x.x, ... in IPv6. There is no need for such a hack.
So "everyone's going to have the same private subnet"?
No - nobody is going to have a private subnet.
"all the private subnets are going to have to be NAT-ed aren't they?"
No - no subnet will be NAT'd.
Privacy is an effect of provisioning, not of addressing. [Provisioning as in - you install a firewall]. This has *always* been true. NAT has just confused people into *thinking* [incorrectly] that there was a link [which there was and is *not*] between subnets and "privacy". Security is provided by firewalls, which is totally absolutely utterly and completely separate from NAT (although in IPv4 world NAT and firewall are typically provided by the same device - that doesn't make two functions into one function).
When dealing with IPv6 it is the disambiguation of these two concepts [firewall and NAT], in the wetware, that is probably the biggest hurdle.
On 06/12/10 15:29, Todd Rinaldo wrote:
On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
On 05/12/10 14:21, Tom H wrote:
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote:
On 12/05/10 12:50, Rudi Ahlers wrote:
(http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...),
Haven't switched yet, I have IPv6 at home using sixxs.
I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses.
Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt
With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls.
Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway.
NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could.
I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they?
This can be a bit confusing, especially if you see this with "IPv4 eyes". In IPv6, it basically is no such things as a private subnet (range).
When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks.
Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like:
aaaa:aaaa:aaaa:bbbb::/64
the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The 'bbbb' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536.
And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses.
(You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks)
So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop.
And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway.
So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition.
I hope this made it a little bit clearer.
kind regards,
David Sommerseth
David Sommerseth wrote:
On 06/12/10 15:29, Todd Rinaldo wrote:
On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
On 05/12/10 14:21, Tom H wrote:
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote:
On 12/05/10 12:50, Rudi Ahlers wrote:
(http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...),
Haven't switched yet, I have IPv6 at home using sixxs.
I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses.
Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt
With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls.
Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway.
NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could.
I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they?
This can be a bit confusing, especially if you see this with "IPv4 eyes". In IPv6, it basically is no such things as a private subnet (range).
When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks.
Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like:
aaaa:aaaa:aaaa:bbbb::/64
the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The 'bbbb' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536.
And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses.
(You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks)
So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop.
And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway.
So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition.
I hope this made it a little bit clearer.
Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure.
Bob McConnell N2SPP
On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell rmcconne@lightlink.com wrote:
David Sommerseth wrote:
On 06/12/10 15:29, Todd Rinaldo wrote:
On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
On 05/12/10 14:21, Tom H wrote:
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote:
On 12/05/10 12:50, Rudi Ahlers wrote: > (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), Haven't switched yet, I have IPv6 at home using sixxs.
I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses.
Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt
With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls.
Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway.
NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could.
I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they?
This can be a bit confusing, especially if you see this with "IPv4 eyes". In IPv6, it basically is no such things as a private subnet (range).
When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks.
Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like:
aaaa:aaaa:aaaa:bbbb::/64
the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The 'bbbb' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536.
And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses.
(You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks)
So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop.
And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway.
So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition.
I hope this made it a little bit clearer.
Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure.
Bob McConnell N2SPP
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
Ryan
On 12/6/10 4:40 PM, Ryan Wagoner wrote:
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
There should be plenty of addresses so the ISPs wouldn't have to charge much. I'm just wondering how routers are going to deal with the size of the route tables if they are not very carefully organized.
Ryan Wagoner wrote:
On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell rmcconne@lightlink.com wrote:
David Sommerseth wrote:
On 06/12/10 15:29, Todd Rinaldo wrote:
On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
On 05/12/10 14:21, Tom H wrote:
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote: > On 12/05/10 12:50, Rudi Ahlers wrote: >> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), > Haven't switched yet, I have IPv6 at home using sixxs. > > I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses.
Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt
With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls.
Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway.
NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could.
I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they?
This can be a bit confusing, especially if you see this with "IPv4 eyes". In IPv6, it basically is no such things as a private subnet (range).
When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks.
Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like:
aaaa:aaaa:aaaa:bbbb::/64
the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The 'bbbb' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536.
And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses.
(You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks)
So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop.
And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway.
So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition.
I hope this made it a little bit clearer.
Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure.
Bob McConnell N2SPP
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
No, the downside is that each address used will be exposed to the world. I consider that a serious security flaw. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use.
Bob McConnell N2SPP
On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell rmcconne@lightlink.com wrote:
Ryan Wagoner wrote:
On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell rmcconne@lightlink.com wrote:
David Sommerseth wrote:
On 06/12/10 15:29, Todd Rinaldo wrote:
On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
On 05/12/10 14:21, Tom H wrote: > On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote: >> On 12/05/10 12:50, Rudi Ahlers wrote: >>> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), >> Haven't switched yet, I have IPv6 at home using sixxs. >> >> I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? > I think that site-local ("fec0:: - fef::") is the ipv6 > more-or-less-equivalent of ipv4 private addresses. Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt
With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls.
Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway.
NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could.
I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they?
This can be a bit confusing, especially if you see this with "IPv4 eyes". In IPv6, it basically is no such things as a private subnet (range).
When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks.
Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like:
aaaa:aaaa:aaaa:bbbb::/64
the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The 'bbbb' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536.
And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses.
(You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks)
So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop.
And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway.
So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition.
I hope this made it a little bit clearer.
Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure.
Bob McConnell N2SPP
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
No, the downside is that each address used will be exposed to the world. I consider that a serious security flaw. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use.
Bob McConnell N2SPP
The data is already exposed with IPv4, but it just looks to originate from one place. With an IPv6 firewall blocking all incoming traffic you have the same security as IPv4 with NAT. The data is still exposed, it just comes from multiple places now. Plus with the trillions of addresses available it becomes much harder to just brute force attack a range of IPs.
Interestingly enough Windows went one step ahead and chooses a random IPv6 address instead of basing it on the MAC address. The address changes over time making it harder to track your usage to a single computer.
Ryan
On Mon, Dec 6, 2010 at 6:56 PM, Ryan Wagoner rswagoner@gmail.com wrote:
On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell rmcconne@lightlink.com wrote:
Ryan Wagoner wrote:
On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell rmcconne@lightlink.com wrote:
David Sommerseth wrote:
On 06/12/10 15:29, Todd Rinaldo wrote:
On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
> On 05/12/10 14:21, Tom H wrote: >> On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote: >>> On 12/05/10 12:50, Rudi Ahlers wrote: >>>> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), >>> Haven't switched yet, I have IPv6 at home using sixxs. >>> >>> I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? >> I think that site-local ("fec0:: - fef::") is the ipv6 >> more-or-less-equivalent of ipv4 private addresses. > Yes, that's correct and it is deprecated. > http://www.ietf.org/rfc/rfc3879.txt > > With IPv6 there is plenty of addresses for everyone so you basically use > your own assigned official IPv6 address space and setup your own private > /64 net and block that subnet in your firewalls. > > Another thing, there is no NAT and it will not be implemented as we know > it in IPv4. To call NAT a security feature is also a faulty > understanding. As NAT only prevents access from outside to some > computer inside a network which is NAT'ed. This restriction and > filtering is the task of the firewall anyway, which does the NAT anyway. > > NAT basically just breaks a lot of protocols and enforces complex > firewalls which needs to understand a lot of different protocols to be > able to do things correctly. Which often do not work as well as it could. > I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they?
This can be a bit confusing, especially if you see this with "IPv4 eyes". In IPv6, it basically is no such things as a private subnet (range).
When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks.
Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like:
aaaa:aaaa:aaaa:bbbb::/64
the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The 'bbbb' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536.
And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses.
(You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks)
So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop.
And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway.
So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition.
I hope this made it a little bit clearer.
Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure.
Bob McConnell N2SPP
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
No, the downside is that each address used will be exposed to the world. I consider that a serious security flaw. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use.
The data is already exposed with IPv4, but it just looks to originate from one place. With an IPv6 firewall blocking all incoming traffic you have the same security as IPv4 with NAT. The data is still exposed, it just comes from multiple places now. Plus with the trillions of addresses available it becomes much harder to just brute force attack a range of IPs.
Interestingly enough Windows went one step ahead and chooses a random IPv6 address instead of basing it on the MAC address. The address changes over time making it harder to track your usage to a single computer.
That's why ipv6 privacy extensions have been developed - to randomize the ethernet address.
On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell rmcconne@lightlink.com wrote:
No, the downside is that each address used will be exposed to the world. I consider that a serious security flaw. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use.
Bob McConnell N2SPP
The design of IPv4 requires that all systems have unique addresses, just like IPv6 does. NAT caused a huge uproar in the community when it was introduced because it broke this fundamental tenet of the Internet. This is why all of those old protocols referred to here are broken by NAT -- because they always assumed the Internet would work as it was designed.
IPv6 merely restores this ability by giving enough address space for everyone again. It RESTORES the original design of the Internet.
What you are talking about is a FIREWALL, which is NOT THE SAME THING as a NAT router. You are enjoying a side-effect of NAT by thinking it is a firewall. If you want a firewall with IPv6, THERE IS NO PROBLEM WITH THAT. You can have a firewall and do all the blocking of Russian mobsters you want. You can easily set a firewall to have the same effect as your current NAT setup (allow all outgoing traffic, block incoming traffic). Once IPv6 becomes pervasive, this will even be just as easy as setting up your NAT router is now. A "firewall" in this case does not mean software running on your computer, it means a box that you plug in between your two networks, just like you do now with the NAT router.
Arguing any differently only shows that you're used to doing things a certain way, and don't want to change. That's a natural human reaction to change, but you need to get over that impulse and realize that you can still do what you want as long as you take the time to understand.
On 12/06/10 4:27 PM, Brian Mathis wrote:
On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnellrmcconne@lightlink.com wrote:
No, the downside is that each address used will be exposed to the world. I consider that a serious security flaw. ...
What you are talking about is a FIREWALL, which is NOT THE SAME THING as a NAT router. ...
Bob, much like my employer's 'E Security' people, seems to think that the host addresses themselves are privileged proprietary secrets, and exposing them increases the probability of being hacked.
On 6/12/10 4:34 PM, "John R Pierce" pierce@hogranch.com wrote:
On 12/06/10 4:27 PM, Brian Mathis wrote:
On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnellrmcconne@lightlink.com wrote:
No, the downside is that each address used will be exposed to the world. I consider that a serious security flaw. ...
What you are talking about is a FIREWALL, which is NOT THE SAME THING as a NAT router. ...
Bob, much like my employer's 'E Security' people, seems to think that the host addresses themselves are privileged proprietary secrets, and exposing them increases the probability of being hacked.
This has been discussed to death on the NANOG list, where various admins haven't taken the time necessary to unwarp their thinking based off bad security doctrines from the 90s.
On 12/6/10 6:27 PM, Brian Mathis wrote:
You are enjoying a side-effect of NAT by thinking it is a firewall.
The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device.
On 07/12/10 02:26, Les Mikesell wrote:
On 12/6/10 6:27 PM, Brian Mathis wrote:
You are enjoying a side-effect of NAT by thinking it is a firewall.
The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device.
So you are afraid of out-growing from an assigned /48 net? Let's do some math here ... and I hope I get it right ...
IPv4: aa:bb:cc:dd .... that's 32 bit IPv6: aaaa:aaaa:aaaa:: .... this is 48 bits out of 128bits
In the IPv6 scenario, you have been assigned 'aaaa:aaaa:aaaa::' as your IPv6 prefix by your ISP.
So that means that you have 128-48 bits available for your own addressing scheme. That is 80 bits you have absolutely full control over. Of course, it's recommended to have subnets no smaller than 64 bits. So that makes it:
IPv6 /64 subnets: aaaa:aaaa:aaaa:bbbb::
That means you have 16 bits for subnets. 2^16 = 65536 subnets, each with 64bit addressing. And if my math doesn't fail me now, a 64 bit addressing scheme is doubling the IPv4 address scope 32 times.
What I mean is that from 32 bit to 33 bit, you have 2 * 32 bit addressing scope. from 32 to 34, you have you have 4 * 32 bit addressing scope. For each bit you add, you double what you had.
It is simply insanely many addresses. And if you fear that ISPs or IANA might run out of address spaces. Remember that they have 48 bits to play with, which is the IPv4 address scope doubled 16 times.
Of course some ISP's will probably just hand out /64 networks to most of their customers (most probably to home users). But that's another story. And a /64 network is possible but not so easy to subnet further, and is also not recommended.
kind regards,
David Sommerseth
On 12/07/2010 05:13 AM, David Sommerseth wrote:
On 07/12/10 02:26, Les Mikesell wrote:
On 12/6/10 6:27 PM, Brian Mathis wrote:
You are enjoying a side-effect of NAT by thinking it is a firewall.
The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device.
So you are afraid of out-growing from an assigned /48 net? Let's do some math here ... and I hope I get it right ...
IPv4: aa:bb:cc:dd .... that's 32 bit IPv6: aaaa:aaaa:aaaa:: .... this is 48 bits out of 128bits
In the IPv6 scenario, you have been assigned 'aaaa:aaaa:aaaa::' as your IPv6 prefix by your ISP.
So that means that you have 128-48 bits available for your own addressing scheme. That is 80 bits you have absolutely full control over. Of course, it's recommended to have subnets no smaller than 64 bits. So that makes it:
IPv6 /64 subnets: aaaa:aaaa:aaaa:bbbb::
That means you have 16 bits for subnets. 2^16 = 65536 subnets, each with 64bit addressing. And if my math doesn't fail me now, a 64 bit addressing scheme is doubling the IPv4 address scope 32 times.
What I mean is that from 32 bit to 33 bit, you have 2 * 32 bit addressing scope. from 32 to 34, you have you have 4 * 32 bit addressing scope. For each bit you add, you double what you had.
It is simply insanely many addresses. And if you fear that ISPs or IANA might run out of address spaces. Remember that they have 48 bits to play with, which is the IPv4 address scope doubled 16 times.
Of course some ISP's will probably just hand out /64 networks to most of their customers (most probably to home users). But that's another story. And a /64 network is possible but not so easy to subnet further, and is also not recommended.
ISP's are supposed to hand out /48's so you can move to a new ISP without having to disrupt your internal addressing.
kind regards,
David Sommerseth
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2010-12-06 at 19:26 -0600, Les Mikesell wrote:
On 12/6/10 6:27 PM, Brian Mathis wrote:
You are enjoying a side-effect of NAT by thinking it is a firewall.
The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device.
Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch.
"most people" have no idea what NAT is, don't care, and shouldn't have to care.
Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus.
On 12/7/10 9:04 AM, Adam Tauno Williams wrote:
The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device.
Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch.
Agreed, but the reason that hasn't happened is that there's no visible benefit to the consumer.
"most people" have no idea what NAT is, don't care, and shouldn't have to care.
Agreed again, but the reason is that the vast majority only want outbound client connections and they would be perfectly happy if application protocols adapted to client registration to some central registry for portability instead of ever assuming that a person or associated application had anything to do with any particular device or fixed address. Compare the number of people who use an IM/chat application to the number who have directly reachable SIP endpoints without a forwarding service, for example. There are good reasons for that.
Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus.
If the ipv6 routers come with defaults that work the same as current NAT routers, people will be able to continue to misunderstand them happily. That is, permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else.
On Tue, 2010-12-07 at 10:16 -0600, Les Mikesell wrote:
On 12/7/10 9:04 AM, Adam Tauno Williams wrote:
Some people's belief that NAT is some magic sauce that makes
themmore
secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus.
If the ipv6 routers come with defaults that work the same as current NAT routers, people will be able to continue to misunderstand them happily. That is, permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else.
And doesn't that sound like you just describe a firewall?
"permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else" isn't NAT. That's a router/firewall. Happily IPv6 does that exactly.
On 12/7/10 10:20 AM, Adam Tauno Williams wrote:
Some people's belief that NAT is some magic sauce that makes
themmore
secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus.
If the ipv6 routers come with defaults that work the same as current NAT routers, people will be able to continue to misunderstand them happily. That is, permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else.
And doesn't that sound like you just describe a firewall?
It sounds like a complex setup for a firewall with dynamic entries to temporarily pass tcp and upd with different timeouts, where 1->many NAT doesn't have any other choice. If you don't send outbound you don't get the nat table entry to forward anything back through it.
"permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else" isn't NAT. That's a router/firewall. Happily IPv6 does that exactly.
You didn't mention the number of devices - how does that play out when you exceed the number initially set up?
On 07/12/10 18:01, Les Mikesell wrote:
On 12/7/10 10:20 AM, Adam Tauno Williams wrote:
[...snip...]
"permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else" isn't NAT. That's a router/firewall. Happily IPv6 does that exactly.
You didn't mention the number of devices - how does that play out when you exceed the number initially set up?
How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times.
kind regards,
David Sommerseth
On 12/7/10 11:19 AM, David Sommerseth wrote:
On 07/12/10 18:01, Les Mikesell wrote:
On 12/7/10 10:20 AM, Adam Tauno Williams wrote:
[...snip...]
"permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else" isn't NAT. That's a router/firewall. Happily IPv6 does that exactly.
You didn't mention the number of devices - how does that play out when you exceed the number initially set up?
How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times.
Is that what people will automatically get in a home ISP connection?
On 07/12/10 18:39, Les Mikesell wrote:
On 12/7/10 11:19 AM, David Sommerseth wrote:
On 07/12/10 18:01, Les Mikesell wrote:
On 12/7/10 10:20 AM, Adam Tauno Williams wrote:
[...snip...]
"permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else" isn't NAT. That's a router/firewall. Happily IPv6 does that exactly.
You didn't mention the number of devices - how does that play out when you exceed the number initially set up?
How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times.
Is that what people will automatically get in a home ISP connection?
Yes. Either a /64 subnet or more likely a /48 subnet, where a /48 subnet == 65536 /64 subnets.
And the 48 bits ISPs gives customers corresponds to 281.474.976.710.656 /48 subnets. Compare that number to IPv4 32 bits: 4.294.967.296
Kind regards,
David Sommerseth
On Tuesday, December 07, 2010 12:39:28 pm Les Mikesell wrote:
How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times.
Is that what people will automatically get in a home ISP connection?
Abbreviations: PI = Provider Independent, PA = Provider Assigned, RIR = Regional Internet Registry, ARIN = American Registry of Internet Numbers, BGP = Border Gateway Protocol, AS = Autonomous System (the routing 'atom' at the BGP level), ASN = Autonomous System Number.
It will depend upon your provider if you get PA addresses; if you go straight to the RIR (ARIN for North America) and pay to get PI addresses you will get by default a /48; but then you have to get your provider to agree to advertise that /48 over BGP. The IPv6 table has the potential to be vastly larger than the IPv4 table (the number of /48's in IPv6 is 65,536 times the total addresses in IPv4!) One hopes providers will intelligently aggregate; until there is sane multihoming for enterprise endusers good aggregation is going to be elusive, since multihomed sites are going to desire PI space, which will fragment the routing tables. IPv6 routing tables do require larger entries thanks to the four times larger address, after all, and with 32 bit ASN's the AS path for that table entry also doubles in size.
Having said that, most providers probably will give you one of a /48, /56, or /64. There are plenty of addresses available, but if you ever have to renumber (like when changing providers).... you'll want PI, or ULA with NAT66 to PA.
On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams awilliam@whitemice.org wrote:
Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch.
"most people" have no idea what NAT is, don't care, and shouldn't have to care.
Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus.
*I'm* a fairly expert network person. (10base2, baby, I remember crimping those cables!) Forcing people to specifically select the services they wish to expose, rather than selecting what to cut off in configuring a typical firewall, is basic policy automatically enforced by NAT. It's especially helpful to ISP's, who *do not want* to try to remember all those furshlugginer individual policies and find it far simpler in routing and firewall terms to force all traffic to the NAT.
On Dec 7, 2010, at 7:41 PM, Nico Kadel-Garcia nkadel@gmail.com wrote:
On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams awilliam@whitemice.org wrote:
Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch.
"most people" have no idea what NAT is, don't care, and shouldn't have to care.
Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus.
*I'm* a fairly expert network person. (10base2, baby, I remember crimping those cables!) Forcing people to specifically select the services they wish to expose, rather than selecting what to cut off in configuring a typical firewall, is basic policy automatically enforced by NAT. It's especially helpful to ISP's, who *do not want* to try to remember all those furshlugginer individual policies and find it far simpler in routing and firewall terms to force all traffic to the NAT.
Does this mean I have to type in URLs like:
http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/
I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to "forget it I'll wait until DNS is working again".
In fact with DNS problems we'd be pretty much crippled.
I'd use IPv6 if the addresses weren't so hard to remember.
-Ross
Does this mean I have to type in URLs like:
http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/
I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to "forget it I'll wait until DNS is working again".
In fact with DNS problems we'd be pretty much crippled.
I'd use IPv6 if the addresses weren't so hard to remember.
-Ross
Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6?
Tony
On Tue, 2010-12-07 at 20:44 -0500, Tony Schreiner wrote:
Does this mean I have to type in URLs like: http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/ I can only image phonetically calling these off on a support call,
I'd get half way through it and the other end would tell me to "forget it I'll wait until DNS is working again".
In fact with DNS problems we'd be pretty much crippled. I'd use IPv6 if the addresses weren't so hard to remember.
Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6?
The URL is incorrectly formatted; enter it as
On Tue, Dec 7, 2010 at 8:44 PM, Tony Schreiner schreian@bc.edu wrote:
Does this mean I have to type in URLs like:
http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/
I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to "forget it I'll wait until DNS is working again".
In fact with DNS problems we'd be pretty much crippled.
I'd use IPv6 if the addresses weren't so hard to remember.
-Ross
Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6?
Tony
Since : is used to denote the port you must put the IPv6 address in brackets.
http://%5B3ffe:1900:4545:3:200:f8ff:fe21:67cf%5D/
Ryan
On 12/7/10 9:02 PM, Ryan Wagoner wrote:
Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6?
Tony
Since : is used to denote the port you must put the IPv6 address in brackets.
Thunderbird doesn't make that a clickable link. Since the change to ipv6 is pretty much inevitable and probably most things will eventually work out, maybe we should focus on the little things (like programs not recognizing the addresses in various contexts) that are going to cause pain during the transition.
On Wednesday 08 December 2010 03:15:50 Les Mikesell wrote:
On 12/7/10 9:02 PM, Ryan Wagoner wrote:
Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6?
Tony
Since : is used to denote the port you must put the IPv6 address in brackets.
Thunderbird doesn't make that a clickable link.
Try KMail, it is clickable there. At least the current version of KMail in Fedora (don't have a CentOS box handy atm...) :-)
Best, :-) Marko
On 08/12/10 04:15, Les Mikesell wrote:
On 12/7/10 9:02 PM, Ryan Wagoner wrote:
Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6?
Tony
Since : is used to denote the port you must put the IPv6 address in brackets.
Thunderbird doesn't make that a clickable link. Since the change to ipv6 is pretty much inevitable and probably most things will eventually work out, maybe we should focus on the little things (like programs not recognizing the addresses in various contexts) that are going to cause pain during the transition.
Did you file a bug to the Thunderbird bugzilla regarding this?
On Tue, Dec 07, 2010 at 09:15:50PM -0600, Les Mikesell wrote:
On 12/7/10 9:02 PM, Ryan Wagoner wrote:
Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6?
Tony
Since : is used to denote the port you must put the IPv6 address in brackets.
Thunderbird doesn't make that a clickable link. Since the change to ipv6 is pretty much inevitable and probably most things will eventually work out, maybe we should focus on the little things (like programs not recognizing the addresses in various contexts) that are going to cause pain during the transition.
I see that UrlView in mutt gets it just fine. :-)
Mihai
On Tue, 2010-12-07 at 20:37 -0500, Ross Walker wrote:
On Dec 7, 2010, at 7:41 PM, Nico Kadel-Garcia nkadel@gmail.com wrote:
On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams awilliam@whitemice.org wrote:
Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch.
"most people" have no idea what NAT is, don't care, and shouldn't have to care.
Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus.
*I'm* a fairly expert network person. (10base2, baby, I remember crimping those cables!) Forcing people to specifically select the services they wish to expose, rather than selecting what to cut off in configuring a typical firewall, is basic policy automatically enforced by NAT. It's especially helpful to ISP's, who *do not want* to try to remember all those furshlugginer individual policies and find it far simpler in routing and firewall terms to force all traffic to the NAT.
Does this mean I have to type in URLs like: http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/
Correct syntax for that is
http://%5B3ffe:1900:4545:3:200:f8ff:fe21:67cf%5D/
if you want to specify the port it goes outside the brackets
http://%5B3ffe:1900:4545:3:200:f8ff:fe21:67cf%5D:8080/
I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to "forget it I'll wait until DNS is working again".
You aren't crippled currently when DNS doesn't work? Because e-mail, Active Directory / Kerberos, and numerous other services just-don't-work without functioning DNS anyway. I'd say the network-minus-DNS is pretty much irrelevant in the real world.
In fact with DNS problems we'd be pretty much crippled. I'd use IPv6 if the addresses weren't so hard to remember.
On Dec 7, 2010, at 9:20 PM, Adam Tauno Williams awilliam@whitemice.org wrote:
On Tue, 2010-12-07 at 20:37 -0500, Ross Walker wrote:
On Dec 7, 2010, at 7:41 PM, Nico Kadel-Garcia nkadel@gmail.com wrote:
On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams awilliam@whitemice.org wrote:
Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch.
"most people" have no idea what NAT is, don't care, and shouldn't have to care.
Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus.
*I'm* a fairly expert network person. (10base2, baby, I remember crimping those cables!) Forcing people to specifically select the services they wish to expose, rather than selecting what to cut off in configuring a typical firewall, is basic policy automatically enforced by NAT. It's especially helpful to ISP's, who *do not want* to try to remember all those furshlugginer individual policies and find it far simpler in routing and firewall terms to force all traffic to the NAT.
Does this mean I have to type in URLs like: http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/
Correct syntax for that is
http://%5B3ffe:1900:4545:3:200:f8ff:fe21:67cf%5D/
if you want to specify the port it goes outside the brackets
Thanks, I googled it afterwards and caught the proper syntax.
I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to "forget it I'll wait until DNS is working again".
You aren't crippled currently when DNS doesn't work? Because e-mail, Active Directory / Kerberos, and numerous other services just-don't-work without functioning DNS anyway. I'd say the network-minus-DNS is pretty much irrelevant in the real world.
Well, there is DNS down and there is DNS issues causing some sites problems. These may or may not be due to our DNS servers, you get the idea.
When your on your router or switch, want to traceroute or find out what port an address is on... Is there even ARP with v6?
-Ross
On 08/12/10 03:36, Ross Walker wrote:
On Dec 7, 2010, at 9:20 PM, Adam Tauno Williams awilliam@whitemice.org wrote:
On Tue, 2010-12-07 at 20:37 -0500, Ross Walker wrote:
On Dec 7, 2010, at 7:41 PM, Nico Kadel-Garcia nkadel@gmail.com wrote:
On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams awilliam@whitemice.org wrote:
[...snip...]
I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to "forget it I'll wait until DNS is working again".
You aren't crippled currently when DNS doesn't work? Because e-mail, Active Directory / Kerberos, and numerous other services just-don't-work without functioning DNS anyway. I'd say the network-minus-DNS is pretty much irrelevant in the real world.
Well, there is DNS down and there is DNS issues causing some sites problems. These may or may not be due to our DNS servers, you get the idea.
The problem with DNS being down is just as critical on IPv4 as with IPv6. The only difference is that it's a lot easier to remember or type IPv4 addresses ... at least now until we're really getting used to IPv6 addresses.
By all means, DNS will be much more critically important in IPv6 though - as not everyone will be able to remember IPv6 addresses as well as IPv4 addresses.
When your on your router or switch, want to traceroute or find out what port an address is on... Is there even ARP with v6?
Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4.
http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm
kind regards,
David Sommerseth
On Wed, 2010-12-08 at 10:01 +0100, David Sommerseth wrote:
Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4.
http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm
I have a question about how IPV6 interacts with the switches in the local network. Right now, my sub $50(US) gigabit switch from any of several vendors keeps an arp table to determine which switch port a message will use. With the huge address space available with IPV6, how is that going to work, and when am I going to get a cheap soho switch that can handle IPV6?
Dave
On Wed, 2010-12-08 at 09:37 -0600, David G. Mackay wrote:
On Wed, 2010-12-08 at 10:01 +0100, David Sommerseth wrote:
Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4. http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm
I have a question about how IPV6 interacts with the switches in the local network. Right now, my sub $50(US) gigabit switch from any of several vendors keeps an arp table to determine which switch port a message will use. With the huge address space available with IPV6, how is that going to work, and when am I going to get a cheap soho switch that can handle IPV6?
The switch will continue to operate using the MAC# of the client interfaces. The switch doesn't care about IPv4, IPv6, or IPX for that matter [unless you enabled vLANs or managment features - which is a different issue].
The switch does not maintain an "arp table". It maintains a list of MAC#s it has seen on each port.
On Wed, 2010-12-08 at 10:41 -0500, Adam Tauno Williams wrote:
On Wed, 2010-12-08 at 09:37 -0600, David G. Mackay wrote:
On Wed, 2010-12-08 at 10:01 +0100, David Sommerseth wrote:
Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4. http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm
I have a question about how IPV6 interacts with the switches in the local network. Right now, my sub $50(US) gigabit switch from any of several vendors keeps an arp table to determine which switch port a message will use. With the huge address space available with IPV6, how is that going to work, and when am I going to get a cheap soho switch that can handle IPV6?
The switch will continue to operate using the MAC# of the client interfaces. The switch doesn't care about IPv4, IPv6, or IPX for that matter [unless you enabled vLANs or managment features - which is a different issue].
Maybe that's the case for my little cheapo soho switch.
The switch does not maintain an "arp table". It maintains a list of MAC#s it has seen on each port.
Sorry, but that's certainly incorrect for the higher end switches. I've accessed the arp table on several different brands of switches. Also, look up ARP poisoning.
Dave
On Wed, 2010-12-08 at 16:49 -0600, David G. Mackay wrote:
On Wed, 2010-12-08 at 10:41 -0500, Adam Tauno Williams wrote:
On Wed, 2010-12-08 at 09:37 -0600, David G. Mackay wrote:
On Wed, 2010-12-08 at 10:01 +0100, David Sommerseth wrote:
Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4. http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm
I have a question about how IPV6 interacts with the switches in the local network. Right now, my sub $50(US) gigabit switch from any of several vendors keeps an arp table to determine which switch port a message will use. With the huge address space available with IPV6, how is that going to work, and when am I going to get a cheap soho switch that can handle IPV6?
The switch will continue to operate using the MAC# of the client interfaces. The switch doesn't care about IPv4, IPv6, or IPX for that matter [unless you enabled vLANs or managment features - which is a different issue].
Maybe that's the case for my little cheapo soho switch.
The switch does not maintain an "arp table". It maintains a list of MAC#s it has seen on each port.
Sorry, but that's certainly incorrect for the higher end switches.
Hence: "unless you enabled vLANs or managment features - which is a different issue".
I've accessed the arp table on several different brands of switches. Also, look up ARP poisoning.
If the switch has an IPv4 management interface then it has, by definition, an ARP table. ARP is how IPv4 works on Ethernet. This doesn't mean [necessarily] that the switching mechanism is using the ARP table to route packets. If 802.1x or some type of protection scheme is not in place all one has to do is forge the MAC address on any traffic to 'confuse' the switch. Specifically ARP cache poising is required to get an IPv4 host to misdirect its traffic to another host on the subnet.
It is very fun to play with this, and Linux makes is pretty easy.
ip link set address xx:xx:xx:xx:xx:xx dev eth0
On Thu, 2010-12-09 at 08:32 -0500, Adam Tauno Williams wrote:
On Wed, 2010-12-08 at 16:49 -0600, David G. Mackay wrote:
On Wed, 2010-12-08 at 10:41 -0500, Adam Tauno Williams wrote:
On Wed, 2010-12-08 at 09:37 -0600, David G. Mackay wrote:
On Wed, 2010-12-08 at 10:01 +0100, David Sommerseth wrote:
Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4. http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm
I have a question about how IPV6 interacts with the switches in the local network. Right now, my sub $50(US) gigabit switch from any of several vendors keeps an arp table to determine which switch port a message will use. With the huge address space available with IPV6, how is that going to work, and when am I going to get a cheap soho switch that can handle IPV6?
The switch will continue to operate using the MAC# of the client interfaces. The switch doesn't care about IPv4, IPv6, or IPX for that matter [unless you enabled vLANs or managment features - which is a different issue].
Maybe that's the case for my little cheapo soho switch.
The switch does not maintain an "arp table". It maintains a list of MAC#s it has seen on each port.
Sorry, but that's certainly incorrect for the higher end switches.
Hence: "unless you enabled vLANs or managment features - which is a different issue".
Yes, or perhaps a layer 3 switching device.
I've accessed the arp table on several different brands of switches. Also, look up ARP poisoning.
If the switch has an IPv4 management interface then it has, by definition, an ARP table. ARP is how IPv4 works on Ethernet. This doesn't mean [necessarily] that the switching mechanism is using the ARP table to route packets. If 802.1x or some type of protection scheme is not in place all one has to do is forge the MAC address on any traffic to 'confuse' the switch. Specifically ARP cache poising is required to get an IPv4 host to misdirect its traffic to another host on the subnet.
It is very fun to play with this, and Linux makes is pretty easy.
ip link set address xx:xx:xx:xx:xx:xx dev eth0
Take a look at ettercap. The idea is to use arp poisoning to overflow the switch's arp table so that the switch gives up and becomes a hub, sending traffic out of every port, which allows your friendly local hacker to view all of the traffic from every port on the switch. And no, you don't have to use vlans for this to work.
Let me throw in a disclaimer that it's been over a decade since I played network manager on a good-sized network that had this kind of gear, so things have changed a bit since then. Hopefully, some of the cracks have been sealed.
Dave
On Tue, 2010-12-07 at 21:36 -0500, Ross Walker wrote:
I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to "forget it I'll wait until DNS is working again".
You aren't crippled currently when DNS doesn't work? Because e-mail, Active Directory / Kerberos, and numerous other services just-don't-work without functioning DNS anyway. I'd say the network-minus-DNS is pretty much irrelevant in the real world.
Well, there is DNS down and there is DNS issues causing some sites problems. These may or may not be due to our DNS servers, you get the idea. When your on your router or switch, want to traceroute or find out what port an address is on... Is there even ARP with v6?
No, IPv6 uses the neighbor discovery protocol; which is in many ways superior to ARP. http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
A lot of people will freak out - but once they get used to NDP instead of ARP...
On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell rmcconne@lightlink.com wrote:
Ryan Wagoner wrote:
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
No, the downside is that each address used will be exposed to the world. I consider that a serious security flaw. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use.
As opposed to these "Russian mobsters, terrorists, crackers" looking at the headers of your email above...
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
No, the downside is that each address used will be exposed to the world.
False. That is *NOT* a downside.
NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved.
I consider that a serious security flaw.
It is not.
Having my ISP know how many computers I have is a minor issue covered by the contract I have with them.
So you want to cheap on the legal contract you agreed to?
But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use.
The "Russian mobsters" can already do that; if you think NAT is protecting you from that then you are mistaken.
On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote:
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
No, the downside is that each address used will be exposed to the world.
False. That is *NOT* a downside.
In your opinion. Others hold a different opinion. While security through obscurity doesn't help in many circumstances, there are physical security controls that absolutely depend upon it, and work. Physical lock and key, for one (the pinning must be kept obscure). Physical combination locks, for another; they depend upon keeping the gates in the wheels obscure. For that matter, any security that depends on any 'secret' is in essence a security through obscurity technique. Port knocking is a security through obscurity technique (which works quite well).
And a NAT66 will be implemented, and people *will* NAT66 their self-assigned ULA addresses (which, unlike PA /48's are portable; the alternative is all end users wanting portability getting PI /48's, and the router ops are getting their selves in a knot thinking about the route table bloat that will cause) to whatever the PA du jour is.
This *will* happen, and no amount of wishful thinking by transparent-Internet-idealogues is going to change it, since this is and will be the market demand. Whether you and I like it or not, this is the direction things are going; we might as well get used to it.
You can read the NAT66 draft standard yourself at (one mirror) http://mirror.switch.ch/ftp/mirror/internet-drafts/draft-mrw-nat66-00.txt
Lamar Owen wrote:
On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote:
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
No, the downside is that each address used will be exposed to the
world.
False. That is *NOT* a downside.
In your opinion. Others hold a different opinion. While security through obscurity doesn't help in many circumstances, there are physical security controls that absolutely depend upon it, and work. Physical lock and key, for one (the pinning must be kept obscure). Physical combination locks, for another; they depend upon keeping the gates in the wheels obscure. For that matter, any security that depends on any 'secret' is in essence a security through obscurity technique. Port knocking is a security through obscurity technique (which works quite well).
<snip> Sorry, let me jump in here: how is a "hidden" IP address, whether it's 10.x, or 192.168.x, obscurity. Rather, AFAIK, trying to get there from outside are unreachable, because the addresses are not valid on the 'Net itself.
mark
On Tue, 2010-12-07 at 10:11 -0500, Lamar Owen wrote:
On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote:
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
No, the downside is that each address used will be exposed to the world.
False. That is *NOT* a downside.
In your opinion. Others hold a different opinion.
Others are wrong. Check the RFCs and other papers.
While security through obscurity doesn't help in many circumstances, there are physical security controls that absolutely depend upon it, and work.
False analogy.
And a NAT66 will be implemented, and people *will* NAT66 their self-assigned ULA addresses (which, unlike PA /48's are portable; the alternative is all end users wanting portability getting PI /48's, and the router ops are getting their selves in a knot thinking about the route table bloat that will cause) to whatever the PA du jour is.
But it isn't NAT. Not like IPv4 NAT, so this doesn't do much to the argument in defense of IPv4-style NAT.
IPv6 routing tables are significantly smaller - which is a large advantage to IPv6.
This *will* happen, and no amount of wishful thinking by t ransparent-Internet-idealogues is going to change it, since this is and will be the market demand. Whether you and I like it or not, this is the direction things are going; we might as well get used to it. You can read the NAT66 draft standard yourself at (one mirror) http://mirror.switch.ch/ftp/mirror/internet-drafts/draft-mrw-nat66-00.txt
I'm certain some people will use it, and that there are legitimate uses. But it doesn't, and won't, serve the same purpose as NAT does in IPv4.
In your opinion. Others hold a different opinion. While security through obscurity doesn't help in many circumstances, there are physical security controls that absolutely depend upon it, and work. Physical lock and key, for one (the pinning must be kept obscure). Physical combination locks, for another; they depend upon keeping the gates in the wheels obscure. For that matter, any security that depends on any 'secret' is in essence a security through obscurity technique. Port knocking is a security through obscurity technique (which works quite well).
you're talking about hiding the lock itself in a chinese puzzlebox, not hiding the tumblers inside the lock.
Adam Tauno Williams wrote:
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
No, the downside is that each address used will be exposed to the world.
False. That is *NOT* a downside.
NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved.
I consider that a serious security flaw.
It is not.
Having my ISP know how many computers I have is a minor issue covered by the contract I have with them.
So you want to cheap on the legal contract you agreed to?
No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue.
But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use.
The "Russian mobsters" can already do that; if you think NAT is protecting you from that then you are mistaken.
NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network.
Not allowing the most popular OS on the network at all is another layer of protection. Keeping everything up to date is another. It is a well known and established process to keep my computers secure. But now you are taking away one of those layers without providing anything of equal strength to replace it. I fail to see how that is an improvement. However, it appears some of you are actually evangelists in disguise, and refuse to acknowledge any real concerns about this change. So it becomes pointless to continue the discussion.
Bob McConnell N2SPP
On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell rmcconne@lightlink.com wrote:
Adam Tauno Williams wrote:
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
No, the downside is that each address used will be exposed to the world.
False. That is *NOT* a downside.
NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved.
I consider that a serious security flaw.
It is not.
Having my ISP know how many computers I have is a minor issue covered by the contract I have with them.
So you want to cheap on the legal contract you agreed to?
No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue.
But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use.
The "Russian mobsters" can already do that; if you think NAT is protecting you from that then you are mistaken.
NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network.
Is 172.16.10.72 a private address of yours or of your ISP?
On Tuesday, December 07, 2010 10:32:32 am Tom H wrote:
Is 172.16.10.72 a private address of yours or of your ISP?
More to the point; do you have a route to his address?
Blackhole routing makes the best firewall in the world; you can't even attempt to hack an address to which your autonomous system (or your provider's autonomous system) has no route in the BGP routing tables.
You can't even reproducibly DoS his address, since he can probably acquire another inside global one fairly easily through DHCP.....
On Tue, Dec 7, 2010 at 10:43 AM, Lamar Owen lowen@pari.edu wrote:
On Tuesday, December 07, 2010 10:32:32 am Tom H wrote:
Is 172.16.10.72 a private address of yours or of your ISP?
More to the point; do you have a route to his address?
I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible.
On 12/7/2010 11:36 AM, Tom H wrote:
I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible.
I've been following the NAT debate here and something occurred to me.
If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet.
With an IPv6 network without NAT, an attacker would need to know the specific IP of the computer he wants to attack. There is no NAT to forward along his SSH attack to the correct computer. To scan your network for vulnerabilities, he would have to scan every port on every IP. Even if he can come up with a list of the IPs that are in use, this is still much more work than scanning a single (NATed) IP.
On 07/12/10 18:10, Bowie Bailey wrote:
On 12/7/2010 11:36 AM, Tom H wrote:
I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible.
I've been following the NAT debate here and something occurred to me.
If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet.
To some degree, at least if the attacker breaks into the firewall.
But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to.
With an IPv6 network without NAT, an attacker would need to know the specific IP of the computer he wants to attack. There is no NAT to forward along his SSH attack to the correct computer. To scan your network for vulnerabilities, he would have to scan every port on every IP. Even if he can come up with a list of the IPs that are in use, this is still much more work than scanning a single (NATed) IP.
Bingo! You have caught the point exactly!
An attacker will not know for sure if there is a firewall in between or not. Most probably he will presume so. But he still don't know for sure the IPv6 address of that firewall, or even if there are more cascaded firewalls in front of a public IPv6 address. Traceroute might give some clues, but if it's a strict firewall just dropping packages, this can take a looong loooooong time.
kind regards,
David Sommerseth
On 12/7/2010 12:43 PM, David Sommerseth wrote:
On 07/12/10 18:10, Bowie Bailey wrote:
On 12/7/2010 11:36 AM, Tom H wrote:
I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible.
I've been following the NAT debate here and something occurred to me.
If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet.
To some degree, at least if the attacker breaks into the firewall.
But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to.
I wasn't referring to breaking into the firewall or forging packets. I was just referring to using the normal operation of the NAT to forward (for example) an SSH attack to the computer on the network that accepts SSH connections.
Stateful packet inspection works the same way regardless of whether or not you have NAT or IPv6, so it is mostly irrelevant to this discussion.
On 07/12/10 18:52, Bowie Bailey wrote:
On 12/7/2010 12:43 PM, David Sommerseth wrote:
On 07/12/10 18:10, Bowie Bailey wrote:
On 12/7/2010 11:36 AM, Tom H wrote:
I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible.
I've been following the NAT debate here and something occurred to me.
If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet.
To some degree, at least if the attacker breaks into the firewall.
But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to.
I wasn't referring to breaking into the firewall or forging packets. I was just referring to using the normal operation of the NAT to forward (for example) an SSH attack to the computer on the network that accepts SSH connections.
Ahh, well, yeah. With NAT, you will expose your single public IP address no matter what, providing a good surface for starting an attack immediately, no matter who is doing what on the inside. Your public IP address will be available in all kind of logs and mail headers - and with more users on the inside using the Internet, the more likely it is that someone will find your address interesting.
But that won't be much more different with IPv6, except that you spread the attack surface over multiple IP addresses in a huge address scope. But then by using the IPv6 Privacy Extensions, it will be more like shooting on a moving target. The public IP address being used today might not be the same which was used yesterday, or even some hours ago.
However, if someone uses a public IPv6 address for SSH from the outside world, that IPv6 address will need to be static and "known". And a static IPv6 address is still just as vulnerable for an attack as any public IPv4 address. But finding this IP address will be much more difficult due to the different huge address scope, unless there's a DNS pointer to it from www.my-own-cool-site.com.
Stateful packet inspection works the same way regardless of whether or not you have NAT or IPv6, so it is mostly irrelevant to this discussion.
Absolutely true.
kind regards,
David Sommerseth
On 12/7/10 11:10 AM, Bowie Bailey wrote:
I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible.
I've been following the NAT debate here and something occurred to me.
If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port.
What port/computer would that be? Most consumer routers default to not forwarding anything that is not related to prior outbound activity.
On 12/7/2010 1:13 PM, Les Mikesell wrote:
On 12/7/10 11:10 AM, Bowie Bailey wrote:
I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible.
I've been following the NAT debate here and something occurred to me.
If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port.
What port/computer would that be? Most consumer routers default to not forwarding anything that is not related to prior outbound activity.
And is there any reason to believe that a consumer IPv6 router would default any differently? If nothing is being allowed through, there's not much to be concerned about in either case. Outside attacks are only possible if the router/firewall allows the packets through. I was referring to a case where there are computers on the inside doing HTTP, SSH, VPN, SMTP, etc.
If we are talking about a true consumer where there are no services on the inside, then what does it matter whether the network is presented as a NAT or a collection of different IP addresses? If the firewall does not allow any connections from the outside, who cares whether an attacker knows your IP?
On Tue, 2010-12-07 at 10:32 -0500, Tom H wrote:
On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell rmcconne@lightlink.com wrote:
Adam Tauno Williams wrote:
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
No, the downside is that each address used will be exposed to the world.
False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved.
I consider that a serious security flaw.
It is not.
Having my ISP know how many computers I have is a minor issue covered by the contract I have with them.
So you want to cheap on the legal contract you agreed to?
No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue
But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use.
The "Russian mobsters" can already do that; if you think NAT is protecting you from that then you are mistaken.
NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network.
Is 172.16.10.72 a private address of yours or of your ISP?
+1
NAT isn't doing what Bob McConnell thinks it is. Any "russian mobster" can afford to hire a halfway decent hacker who will only laugh at the obfuscation added by NAT. Determining how many computers, and quite a bit of detail about them, are behind a NAT is not hard. You just watch the traffic and these things reveal themselves. Your traffic can be compromised just as easily with or without NAT. Very few actually useful attacks on a host require direct access to the interface; stateful firewalls made such vectors pretty useless a long time ago.
On 07/12/10 16:45, Adam Tauno Williams wrote:
On Tue, 2010-12-07 at 10:32 -0500, Tom H wrote:
On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell rmcconne@lightlink.com wrote:
Adam Tauno Williams wrote:
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
No, the downside is that each address used will be exposed to the world.
False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved.
I consider that a serious security flaw.
It is not.
Having my ISP know how many computers I have is a minor issue covered by the contract I have with them.
So you want to cheap on the legal contract you agreed to?
No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue
But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use.
The "Russian mobsters" can already do that; if you think NAT is protecting you from that then you are mistaken.
NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network.
Is 172.16.10.72 a private address of yours or of your ISP?
+1
NAT isn't doing what Bob McConnell thinks it is. Any "russian mobster" can afford to hire a halfway decent hacker who will only laugh at the obfuscation added by NAT. Determining how many computers, and quite a bit of detail about them, are behind a NAT is not hard. You just watch the traffic and these things reveal themselves. Your traffic can be compromised just as easily with or without NAT. Very few actually useful attacks on a host require direct access to the interface; stateful firewalls made such vectors pretty useless a long time ago.
You mean something along the way ... "Oh, this Bob uses 172.16.10.72 ... let's run some traceroutes towards his gateway. That could be 64.57.176.18, right? Then we can just setup a direct route from us to his 172.16.10.0/24 network. Wait! Lets add 172.16.0.0/12, just to be sure we hit the right path"
kind regards,
David Sommerseth
On Tuesday, December 07, 2010 12:26:30 pm David Sommerseth wrote:
You mean something along the way ... "Oh, this Bob uses 172.16.10.72 ... let's run some traceroutes towards his gateway. That could be 64.57.176.18, right? Then we can just setup a direct route from us to his 172.16.10.0/24 network. Wait! Lets add 172.16.0.0/12, just to be sure we hit the right path"
And if his or your or any ISP between you and him implements BCP38 properly the packets with a destination of the RFC1918 address will be blackholed and will never get there, even if you put a static source route to them. You don't have a direct path to his router, at least not for routing purposes, since your packets are going to be inspected and routed by routers in between. It does depend on some best current practices being implemented, though. Like RFC1918 bogon filtering at the AS boundary as part of the BGP session between AS routers. And unless you are operating your own BGP border (I am at one site), you can't influence the AS path the packet will follow on the DFZ.
The basis for 'NAT security' is relying on the best practice of blackholing RFC1918 addresses on the DFZ router mesh. Not all AS's implement the policy properly, but enough do that trying to route (using essentially source routing) to an RFC1918 address will fail when it hits the DFZ, and virtually all inter-AS packets hit the DFZ at some point. Source routing is blocked by most AS borders, so you can't 'hint' the routers in between that you have to pass traffic to 172.16.0.0/12 through that particular router; the DFZ is going to tell your hint to shove it. But it does depend on the specific policies of each AS between you and the RFC1918-using target.
The security for RFC1918, or for IPv6 ULA RFC4193 addresses relies not on NAT per se, but on the basic non-global-routability of the addresses in question on the default-free-zone. NAT just allows you to use non-globally-routable addresses by translating to globally-routable ones.
About the only thing you could really do to gain direct access to his RFC1918-using network behind the NAT is to compromise his router and set up GRE (or similar) tunnels into it.
Further, what's to say his MUA isn't set to poison the mail headers this 172.160.0.0/12 address came from? That's relying on the mail headers; if I were to ssh to your server from behind a NAT I challenge you to determine the RFC1918 address I'm using.
On Mon, 2010-12-06 at 17:15 -0500, Bob McConnell wrote:
So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer.
Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design.
It isn't.
I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network.
Why? Things will only work better. NAT is not some magic sauce, it is a *HACK*.
With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping.
Why? There is no reason. You are wrong, you do *NOT* need to "continue that mapping". That mapping is pointless.
If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure.
Adam Tauno Williams wrote:
On Mon, 2010-12-06 at 17:15 -0500, Bob McConnell wrote:
So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer.
Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design.
It isn't.
I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network.
Why? Things will only work better. NAT is not some magic sauce, it is a *HACK*.
With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping.
Why? There is no reason. You are wrong, you do *NOT* need to "continue that mapping". That mapping is pointless.
No, it is not pointless. The first step in attacking any computer is finding the IP address. If that address is broadcast outside the firewall every time it talks to another computer, that step is simple. If it is hidden behind a firewall that does NAT, it becomes harder to find and that first step becomes much more difficult.
Currently, the only IP address transmitted outside my firewall is the one assigned to that firewall by the Roadrunner DHCP server. None of the addresses inside are exposed. That is a level of protection I am not prepared to give up. I don't care how much you evangelists blab about the new improved sauce, I still see it as a solution in search of a problem. As far as I am concerned, NAT already solved the address space problem.
Bob McConnell N2SPP
On Mon, Dec 6, 2010 at 6:27 AM, David Sommerseth dazo@users.sourceforge.net wrote:
On 05/12/10 14:21, Tom H wrote:
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote:
On 12/05/10 12:50, Rudi Ahlers wrote:
(http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...),
Haven't switched yet, I have IPv6 at home using sixxs.
I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
I think that site-local ("fec0:: - fef::") is the ipv6 more-or-less-equivalent of ipv4 private addresses.
Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt
Many thanks (and apologies to all for the outdated/incorrect info).
On 6 December 2010 15:40, Tom H tomh0665@gmail.com wrote:
On Mon, Dec 6, 2010 at 6:27 AM, David Sommerseth dazo@users.sourceforge.net wrote:
On 05/12/10 14:21, Tom H wrote:
On Sun, Dec 5, 2010 at 8:13 AM, RedShift redshift@pandora.be wrote:
On 12/05/10 12:50, Rudi Ahlers wrote:
(http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...),
Using ipv6 at home on CentOS 5.5, winXP and OpenBSD -current. Both ethernet and wifi. Have a /48 from my UK isp - Andrew's and Arnold (AAISP) giving native ipv6 over DSL. It works really well but that is because i am using a Cisco 877 on the IOS 15 with advipservices train so i still have an SPI firewall (as well as ipv6 ACLs).
I think part of the main problem with uptake is the lack of residential DSL routers supporting it.
At the moment i have lower latency to ipv6 sites than ipv4!
Was very easy to implement it, just switched it on in the confs of the various boxen, told the router to do RA. I like the /64 with EUI for the clients and more rememberable addresses for services. I also like the (glacial) length of time it would take someone to try and scan my address space - *way more* than scanning my /24 ipv4 address space :)
mike
On Sun, 2010-12-05 at 14:13 +0100, RedShift wrote:
And what about this arbitrarily chosen /64 subnet? So we're returning back to classfull routing? A provider won't be able to purchase a subnet greater than /64 from for example RIPE?
Within a reasonable planning horizon, what provider would need ~1.84*10^19 (or for those who don't grok exponential notation 184,00,000,000,000,000,000) addresses?
brian
On Sun, 2010-12-05 at 14:13 +0100, RedShift wrote:
On 12/05/10 12:50, Rudi Ahlers wrote:
Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), I'm curios as who know whether everyone is ready for the changeover to IPV6? Is anyone using it in production already, and what are your experiences with it?
Haven't switched yet, I have IPv6 at home using sixxs. IMO the slow adoption is caused by the complexity IPv6 brings. They should have just modified IP to use 128 bits addresses and leave the rest as is.
Disagree, IPv4 at this point is a whole heap of hacks. IPv6 throws out lots of crap and provides for much better performance [routing IPv6 requires much less horsepower than routing IPv4].
For example, what is the use of a link scoped IPv6 address? Why would you want to assign an IP address to yourself that's of no use at all?
It is incredibly useful. There is a lot of traffic that is only relevant to the local-link. Now two computers on the same wire can communicate automatically - true zero-configuration. IPv6 uses link-local for neighbor discovery. Remember IPV6 does not use ARP.
I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
None, and no. There is no exact equivalent - thank goodness. Everyone using 192.168.1.x and NAT is a real pain.
I know that IPv6 is supposed to allow every address to be publicly route-able but having your computers in private ranges and use NAT has big advantages towards security.
NO NO NO NO NO NO NO and NO! (*@!^&*@$ &@*^*&$@ &*@^*&@ How many times does this have to be explained??? NAT *IS* *NOT* a @*(&^*(^@(*@ security tool. It isn't. Stop saying it is. You use *firewalls* for security. Just block ingress traffic and you are just as well off as you are on NAT - and odds are in your NAT configure you are doing that already. All you do is eliminate the hacks, performance penalty, and interoperability problems created by NAT. NAT is a *problem*, not a solution for anything other than a deficient network protocol.
And what about this arbitrarily chosen /64 subnet? So we're returning back to classfull routing?
Yes, thank goodness. No more ridiculously tedious netmasks.
Stateless auto-configuration is a useless feature, just like APIPA. I much prefer DHCP and thankfully it still exists for v6.
Correct, nothing is lost, things are gained. All to the good.
On Dec 6, 2010, at 8:37 AM, Adam Tauno Williams awilliam@whitemice.org wrote:
NO NO NO NO NO NO NO and NO! (*@!^&*@$ &@*^*&$@ &*@^*&@ How many times does this have to be explained??? NAT *IS* *NOT* a @*(&^*(^@(*@ security tool. It isn't. Stop saying it is. You use *firewalls* for security. Just block ingress traffic and you are just as well off as you are on NAT - and odds are in your NAT configure you are doing that already. All you do is eliminate the hacks, performance penalty, and interoperability problems created by NAT. NAT is a *problem*, not a solution for anything other than a deficient network protocol.
There is no arguing that NAT is not a security tool, but if your firewall drops it's pants it's better to have non-routable addresses behind it.
-Ross
On 06/12/10 15:53, Ross Walker wrote:
On Dec 6, 2010, at 8:37 AM, Adam Tauno Williams awilliam@whitemice.org wrote:
NO NO NO NO NO NO NO and NO! (*@!^&*@$ &@*^*&$@ &*@^*&@ How many times does this have to be explained??? NAT *IS* *NOT* a @*(&^*(^@(*@ security tool. It isn't. Stop saying it is. You use *firewalls* for security. Just block ingress traffic and you are just as well off as you are on NAT - and odds are in your NAT configure you are doing that already. All you do is eliminate the hacks, performance penalty, and interoperability problems created by NAT. NAT is a *problem*, not a solution for anything other than a deficient network protocol.
There is no arguing that NAT is not a security tool, but if your firewall drops it's pants it's better to have non-routable addresses behind it.
Good point. I'm just thinking out loud.
What if the gateway/router/firewall does not know about the IPv6 network on the network interface where this "sensitive" IPv6 net is.
And does it really need to be connected to this gateway at all, if it shouldn't be available to other networks at all? And if there are some odd reasons for doing so, what about having this IPv6 subnet in a separate VLAN without a IPv6 gateway to the rest of the world?
kind regards,
David Sommerseth
On Sun, Dec 5, 2010 at 6:50 AM, Rudi Ahlers Rudi@softdux.com wrote:
Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), I'm curios as who know whether everyone is ready for the changeover to IPV6?
Is anyone using it in production already, and what are your experiences with it?
-- Kind Regards Rudi Ahlers SoftDux
Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Office: 087 805 9573 Cell: 082 554 7532
I've been using IPv6 with Vyatta through a tunnel broker (he.net). I'm running a dual stack configuration and have a few websites enabled. I have been holding off my email as Zimbra isn't fully compliant. The other holdup is that ISPs, like Verizon FIOS, aren't supporting it. I called Verizon FIOS's business support line and when I asked about obtaining a IPVv6 /64 or /48, he asked me what IPv6 was. For now the tunnel broker is great, but it adds complexity and there is no SLA.
What bothers me about IPv6 is that they used : to separate the address portions. This makes extra work to go directly to the IP in a browser, configure Apache, etc as it has to be put in []. You also can't browse IPv6 network shares by IP. At least in Windows you have to replace : with - and append . ipv6-literal.net
Stateless auto configuration works great, but I don't use it on my servers. The address becomes too long to keep track of so I have manually configured them. It looks like most sites supporting IPv6 have done the same.
With stateless configuration on the clients I loose the dynamic DNS that DHCP provides. The DHCP6 server on CentOS 5.5 doesn't support dynamic DNS updates either. I use it to only hand out the DNS server address. CentOS 6 will come with the ISC DHCPv6 server that will support dynamic DNS. When that happens I plan to switch over to DHCP entirely so DNS will be updated. It is really annoying to see last login by some random IPv6 address on my CentOS boxes.
It is great to see that NAT is gone. No more UPnP or NAT port mapping nonsense. On my Vyatta box I have just blocked all incoming IPv6 traffic that is no established or related. I think allowed only ICMP echo request to any IPv6 address and ports for my servers. This makes it just as secure as IPv4 with NAT.
The other issue I foresee is all the Windows XP users. Windows XP doesn't support a native IPv6 implementation. It can only query DNS through IPv4. Microsoft needs to pull the plug on Windows XP. Although running IPv6 only is a few if not more years away.
Ryan
On Sun, 2010-12-05 at 13:50 +0200, Rudi Ahlers wrote:
Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), I'm curios as who know whether everyone is ready for the changeover to IPV6? Is anyone using it in production already, and what are your experiences with it?
Yes, dual-stack, internally. It works fine; it is certainly nicer to manage than IPv4. Nearly everything supports it at this point.
On 12/06/2010 01:22 PM, Adam Tauno Williams wrote:
I'm curios as who know whether everyone is ready for the changeover to IPV6? Is anyone using it in production already, and what are your experiences with it?
generic questions like that are more suited to ipv6 centric lists. if you are looking for specific CentOS centric ipv6 experience - yes, it works. I've got about 2 dozen machines on native ipv6 only for $VariousWork stuff, and almost all of my own personal kit runs dual stack.
Yes, dual-stack, internally. It works fine; it is certainly nicer to manage than IPv4. Nearly everything supports it at this point.
I agree, having used ipv6 for a few years now : much easier to manage than ipv4 and way more functional.
- KB
On 05/12/10 12:50, Rudi Ahlers wrote:
Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), I'm curios as who know whether everyone is ready for the changeover to IPV6?
Is anyone using it in production already, and what are your experiences with it?
I am using IPv6 quite frequently now, mostly at home where I use Hurricane Electric/Tunnelbroker, configured on a OpenWRT router. I have full stateless autoconfiguration running and all connected devices gets IPv6 access instantly. I even have an IPv6 enabled OpenVPN server running on this router, so I get IPv6 access via this router and to my internal boxes as well.
I also have a CentOS5.5 firewall which I connect to via SSH over IPv6 on a remote site. I have not implemented IPv6 support internally on that site, due to the lack of proper stateful packet inspection (SPI) in iptables. That's why I'm waiting for CentOS6, as that will remove this obstacle. SPI support came first in 2.6.20-something for IPv6 and it's been considered too hard to backport that feature to the 2.6.18 kernels which RHEL5/CentOS5 is based on. However, stateless firewalling do work.
Further I have a Gentoo based firewall on yet another remote site, which do have a 2.6.30-something kernel with proper IPv6 SPI support in iptables. At the moment I'm only accessing it SSH over IPv6, but I'm working on setting up IPv6 access for VPN, http/https and e-mail services there.
There are some security considerations though, related to stateless auto configuration. Currently whichever client on a local network may start a radvd process which will announce where the default GW can be found - this redirecting IPv6 traffic via a hostile gateway. But I believe people are trying to solve this as well. One approach is to have an auto-responder which will send out invalidation broadcasts on new router broadcasts. In such a scenario an attacker may do the same as well, and then you're getting closer to the same chaos you may get by having two DHCP servers on the same subnet.
However, that issue is only relevant on local networks and can't be performed as an attack from a different subnet.
In my point of view, IPv6 is ready for prime-time. CentOS5/RHEL5 and older is not completely up-to-shape, due to the lack of SPI support in iptables. But RHEL6 and the coming CentOS6 should be good to go.
kind regards,
David Sommerseth
On Mon, 2010-12-06 at 16:12 +0100, David Sommerseth wrote:
On 05/12/10 12:50, Rudi Ahlers wrote: There are some security considerations though, related to stateless auto configuration. Currently whichever client on a local network may start a radvd process which will announce where the default GW can be found - this redirecting IPv6 traffic via a hostile gateway. But I believe people are trying to solve this as well. One approach is to have an auto-responder which will send out invalidation broadcasts on new router broadcasts. In such a scenario an attacker may do the same as well, and then you're getting closer to the same chaos you may get by having two DHCP servers on the same subnet. However, that issue is only relevant on local networks and can't be performed as an attack from a different subnet.
At least a large part of the solution to that problem is to police the layers below any version of IP. Typically by using 802.1x / EAP to authenticate the client to the switch.
In my point of view, IPv6 is ready for prime-time. CentOS5/RHEL5 and older is not completely up-to-shape, due to the lack of SPI support in iptables. But RHEL6 and the coming CentOS6 should be good to go.
+1
On Sunday, December 05, 2010 06:50:44 am Rudi Ahlers wrote:
Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), I'm curios as who know whether everyone is ready for the changeover to IPV6?
Is anyone using it in production already, and what are your experiences with it?
IPv4 will likely continue to work even long past available address exhaustion.
What will break is access from your non-IPv6 machine to IPv6 only sites. Well, that's already broken, but as new sites and eyeballs come online, there will be IPv4 only users (and sites) that will no longer be reachable from the 'whole Internet' (talk about an oxymoron!).
As to NAT, well, IPv6 does have the equivalent non-public-routable address space, and, yes, there is a NAT66 out there, just not available from all vendors (and yes, lots of people are protesting up a storm). NAT is not going to go away, sorry, as there are enough people wanting it to give financial incentive for vendors to provide it, whether anyone thinks it's misguided or not.
Read the NANOG archives for the last year and see for yourself how well or ill prepared the people who actually run the 'Internet' in North America are.
So yes you need an IPv6 strategy, and yes there are ways to keep devices on your network invisible from outside your network; RFC 4193 "Unique Local IPv6 Unicast Addresses" covers it. For a ULA addressed device to get to the IPv6 Internet will require either a NAT66 device or an ALG (proxy) and is the recommended way to do things that RFC1918 addresses are commonly used for in IPv4.
In watching this thread I had to pinch myself and remind myself that I wasn't reading NANOG by mistake; had to check the folder and the incoming mail rules, too.... :-)
-
Adam Tauno Williams -
Bob McConnell -
Bowie Bailey -
Brian Mathis -
Brian Miller -
David G. Mackay -
David Sommerseth -
Gary Greene -
John R Pierce -
Karanbir Singh -
Lamar Owen -
Les Mikesell -
m.roth@5-cent.us -
Marko Vojinovic -
Michael Simpson -
Michel van Deventer -
Mihai T. Lazarescu -
Nico Kadel-Garcia -
RedShift -
Rob Del Vecchio -
Ross Walker -
Rudi Ahlers -
Ryan Wagoner -
Stephen Harris -
Steve Clark -
Todd Rinaldo -
Tom H -
Tony Schreiner