[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Tue Dec 7 08:14:33 UTC 2010

On Mon, Dec 6, 2010 at 6:56 PM, Ryan Wagoner <rswagoner at gmail.com> wrote:
> On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell <rmcconne at lightlink.com> wrote:
>> Ryan Wagoner wrote:
>>> On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell <rmcconne at lightlink.com> wrote:
>>>> David Sommerseth wrote:
>>>>> On 06/12/10 15:29, Todd Rinaldo wrote:
>>>>>> On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
>>>>>>
>>>>>>> On 05/12/10 14:21, Tom H wrote:
>>>>>>>> On Sun, Dec 5, 2010 at 8:13 AM, RedShift <redshift at pandora.be> wrote:
>>>>>>>>> On 12/05/10 12:50, Rudi Ahlers wrote:
>>>>>>>>>> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm),
>>>>>>>>> Haven't switched yet, I have IPv6 at home using sixxs.
>>>>>>>>>
>>>>>>>>> I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
>>>>>>>> I think that site-local ("fec0:: - fef::") is the ipv6
>>>>>>>> more-or-less-equivalent of ipv4 private addresses.
>>>>>>> Yes, that's correct and it is deprecated.
>>>>>>> <http://www.ietf.org/rfc/rfc3879.txt>
>>>>>>>
>>>>>>> With IPv6 there is plenty of addresses for everyone so you basically use
>>>>>>> your own assigned official IPv6 address space and setup your own private
>>>>>>> /64 net and block that subnet in your firewalls.
>>>>>>>
>>>>>>> Another thing, there is no NAT and it will not be implemented as we know
>>>>>>> it in IPv4.  To call NAT a security feature is also a faulty
>>>>>>> understanding.  As NAT only prevents access from outside to some
>>>>>>> computer inside a network which is NAT'ed.  This restriction and
>>>>>>> filtering is the task of the firewall anyway, which does the NAT anyway.
>>>>>>>
>>>>>>> NAT basically just breaks a lot of protocols and enforces complex
>>>>>>> firewalls which needs to understand a lot of different protocols to be
>>>>>>> able to do things correctly.  Which often do not work as well as it could.
>>>>>>>
>>>>>> I've heard this before but It's always confused me. Admittedly I
>>>>>> haven't had a chance to look at the spec. If we're saying that
>>>>>> everyone's going to have the same private subnet, then we're saying
>>>>>> that all the private subnets are going to have to be NAT-ed
>>>>>> aren't they?
>>>>> This can be a bit confusing, especially if you see this with "IPv4
>>>>> eyes".  In IPv6, it basically is no such things as a private subnet (range).
>>>>>
>>>>> When you contact your ISP to get a IPv6 subnet, they will most probably
>>>>> give you a /48 network.  That means you will have a IPv6 prefix which is
>>>>> unique.  That is a reference to all _your_ IPv6 networks.
>>>>>
>>>>> Then you will normally segment this /48 subnet into more /64 networks.
>>>>> A /48 subnet gives you 65536 /64 networks.  So the IPv6 prefix will be
>>>>> something like:
>>>>>
>>>>>    aaaa:aaaa:aaaa:bbbb::/64
>>>>>
>>>>> the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and
>>>>> this is the first 48bits of the IPv6 address.  The 'bbbb' part is up to
>>>>> you to decide what will be, and that's the next 16 bits of the address
>>>>> scope.  So 48 + 16 = 64 bits.   And 2^16 = 65536.
>>>>>
>>>>> And this is all you need to know about IPv6 addressing.  Really!  That's
>>>>> it.  No network addresses, no broadcast addresses.  Just pure usable
>>>>> IPv6 addresses.
>>>>>
>>>>> (You may of course make even more subnets below /64, but that's usually
>>>>> not recommended at - especially with auto-configured networks)
>>>>>
>>>>> So then ... the next phase.  As everyone who gets a /48 nets should have
>>>>> it flexible enough to setup private networks, the firewall just needs to
>>>>> block completely in-going traffic to a /64 net defined by the admins as
>>>>> private.  It can further be decided if this /64 net should have access
>>>>> to IPv6 addresses outside this local network.  Again this is just a
>>>>> firewall rule and nothing more - allow or reject/drop.
>>>>>
>>>>> And then, the former proposed site-local subnet makes pretty much no
>>>>> sense, as IPv6 does not support NAT.  As this network would not be able
>>>>> to communicate across a router/firewall.  This subnet (fec0:: - fef::)
>>>>> should not be routed anywhere.  And without NAT, it can't escape the
>>>>> subnet at all anyway.
>>>>>
>>>>> So, spending one or two or 100s /64 subnets with public IPv6 addresses
>>>>> which is completely blocked in a firewall will serve exactly the same
>>>>> purpose as a site-local subnet.  But this /64 net may get access to the
>>>>> Internet *if* allowed by the firewall.  This is not possible with
>>>>> site-local at all.  And of course, this is without NAT in addition.
>>>>>
>>>>> I hope this made it a little bit clearer.
>>>> Clear as mud. If I understand you correctly, I have to say that IPv6 is
>>>> broken by design. I have a double handful of computers on my home
>>>> network. Each of them needs access to the Internet to get updates to the
>>>> OS and various applications. However, I do *NOT* want each and every one
>>>> of them to show up as a unique address outside of my network. With IP4
>>>> and m0n0wall running as the NAT, they are all translated to the single
>>>> IP address that Roadrunner assigned to my Firewall. I need to continue
>>>> that mapping. If IPv6 cannot do that, then I hope Time-Warner continues
>>>> to ignore it and stays with their current address structure.
>>>>
>>>> Bob McConnell
>>>> N2SPP
>>>
>>> IPv6 is not broken by design. NAT was implemented to extend the time
>>> until IPv4 exhaustion. A side effect was hiding the internal IPv4
>>> address, which complicates a number of protocols like FTP and SIP. The
>>> only downside I see is ISPs could try and charge based on the number
>>> of IPv6 addresses being used.
>>
>> No, the downside is that each address used will be exposed to the world.
>> I consider that a serious security flaw. Having my ISP know how many
>> computers I have is a minor issue covered by the contract I have with
>> them. But having all of those addresses exposed to Russian mobsters,
>> terrorists, crackers and everyone else that knows how to capture packets
>> is another matter altogether. If IPv6 exposes that information to the
>> world, it is definitely unsafe to use.
>
> The data is already exposed with IPv4, but it just looks to originate
> from one place. With an IPv6 firewall blocking all incoming traffic
> you have the same security as IPv4 with NAT. The data is still
> exposed, it just comes from multiple places now. Plus with the
> trillions of addresses available it becomes much harder to just brute
> force attack a range of IPs.
>
> Interestingly enough Windows went one step ahead and chooses a random
> IPv6 address instead of basing it on the MAC address. The address
> changes over time making it harder to track your usage to a single
> computer.

That's why ipv6 privacy extensions have been developed - to randomize
the ethernet address.