On 06/12/10 15:29, Todd Rinaldo wrote: > > On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote: > >> On 05/12/10 14:21, Tom H wrote: >>> On Sun, Dec 5, 2010 at 8:13 AM, RedShift <redshift at pandora.be> wrote: >>>> On 12/05/10 12:50, Rudi Ahlers wrote: >>>>> >>>>> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), >>>> >>>> Haven't switched yet, I have IPv6 at home using sixxs. >>>> >>>> I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? >>> >>> I think that site-local ("fec0:: - fef::") is the ipv6 >>> more-or-less-equivalent of ipv4 private addresses. >> >> Yes, that's correct and it is deprecated. >> <http://www.ietf.org/rfc/rfc3879.txt> >> >> With IPv6 there is plenty of addresses for everyone so you basically use >> your own assigned official IPv6 address space and setup your own private >> /64 net and block that subnet in your firewalls. >> >> Another thing, there is no NAT and it will not be implemented as we know >> it in IPv4. To call NAT a security feature is also a faulty >> understanding. As NAT only prevents access from outside to some >> computer inside a network which is NAT'ed. This restriction and >> filtering is the task of the firewall anyway, which does the NAT anyway. >> >> NAT basically just breaks a lot of protocols and enforces complex >> firewalls which needs to understand a lot of different protocols to be >> able to do things correctly. Which often do not work as well as it could. >> > > I've heard this before but It's always confused me. Admittedly I > haven't had a chance to look at the spec. If we're saying that > everyone's going to have the same private subnet, then we're saying > that all the private subnets are going to have to be NAT-ed > aren't they? This can be a bit confusing, especially if you see this with "IPv4 eyes". In IPv6, it basically is no such things as a private subnet (range). When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks. Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like: aaaa:aaaa:aaaa:bbbb::/64 the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The 'bbbb' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536. And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses. (You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks) So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop. And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway. So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer. kind regards, David Sommerseth