On Mon, Dec 6, 2010 at 6:56 PM, Ryan Wagoner <rswagoner at gmail.com> wrote: > On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell <rmcconne at lightlink.com> wrote: >> Ryan Wagoner wrote: >>> On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell <rmcconne at lightlink.com> wrote: >>>> David Sommerseth wrote: >>>>> On 06/12/10 15:29, Todd Rinaldo wrote: >>>>>> On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote: >>>>>> >>>>>>> On 05/12/10 14:21, Tom H wrote: >>>>>>>> On Sun, Dec 5, 2010 at 8:13 AM, RedShift <redshift at pandora.be> wrote: >>>>>>>>> On 12/05/10 12:50, Rudi Ahlers wrote: >>>>>>>>>> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), >>>>>>>>> Haven't switched yet, I have IPv6 at home using sixxs. >>>>>>>>> >>>>>>>>> I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? >>>>>>>> I think that site-local ("fec0:: - fef::") is the ipv6 >>>>>>>> more-or-less-equivalent of ipv4 private addresses. >>>>>>> Yes, that's correct and it is deprecated. >>>>>>> <http://www.ietf.org/rfc/rfc3879.txt> >>>>>>> >>>>>>> With IPv6 there is plenty of addresses for everyone so you basically use >>>>>>> your own assigned official IPv6 address space and setup your own private >>>>>>> /64 net and block that subnet in your firewalls. >>>>>>> >>>>>>> Another thing, there is no NAT and it will not be implemented as we know >>>>>>> it in IPv4. To call NAT a security feature is also a faulty >>>>>>> understanding. As NAT only prevents access from outside to some >>>>>>> computer inside a network which is NAT'ed. This restriction and >>>>>>> filtering is the task of the firewall anyway, which does the NAT anyway. >>>>>>> >>>>>>> NAT basically just breaks a lot of protocols and enforces complex >>>>>>> firewalls which needs to understand a lot of different protocols to be >>>>>>> able to do things correctly. Which often do not work as well as it could. >>>>>>> >>>>>> I've heard this before but It's always confused me. Admittedly I >>>>>> haven't had a chance to look at the spec. If we're saying that >>>>>> everyone's going to have the same private subnet, then we're saying >>>>>> that all the private subnets are going to have to be NAT-ed >>>>>> aren't they? >>>>> This can be a bit confusing, especially if you see this with "IPv4 >>>>> eyes". In IPv6, it basically is no such things as a private subnet (range). >>>>> >>>>> When you contact your ISP to get a IPv6 subnet, they will most probably >>>>> give you a /48 network. That means you will have a IPv6 prefix which is >>>>> unique. That is a reference to all _your_ IPv6 networks. >>>>> >>>>> Then you will normally segment this /48 subnet into more /64 networks. >>>>> A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be >>>>> something like: >>>>> >>>>> aaaa:aaaa:aaaa:bbbb::/64 >>>>> >>>>> the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and >>>>> this is the first 48bits of the IPv6 address. The 'bbbb' part is up to >>>>> you to decide what will be, and that's the next 16 bits of the address >>>>> scope. So 48 + 16 = 64 bits. And 2^16 = 65536. >>>>> >>>>> And this is all you need to know about IPv6 addressing. Really! That's >>>>> it. No network addresses, no broadcast addresses. Just pure usable >>>>> IPv6 addresses. >>>>> >>>>> (You may of course make even more subnets below /64, but that's usually >>>>> not recommended at - especially with auto-configured networks) >>>>> >>>>> So then ... the next phase. As everyone who gets a /48 nets should have >>>>> it flexible enough to setup private networks, the firewall just needs to >>>>> block completely in-going traffic to a /64 net defined by the admins as >>>>> private. It can further be decided if this /64 net should have access >>>>> to IPv6 addresses outside this local network. Again this is just a >>>>> firewall rule and nothing more - allow or reject/drop. >>>>> >>>>> And then, the former proposed site-local subnet makes pretty much no >>>>> sense, as IPv6 does not support NAT. As this network would not be able >>>>> to communicate across a router/firewall. This subnet (fec0:: - fef::) >>>>> should not be routed anywhere. And without NAT, it can't escape the >>>>> subnet at all anyway. >>>>> >>>>> So, spending one or two or 100s /64 subnets with public IPv6 addresses >>>>> which is completely blocked in a firewall will serve exactly the same >>>>> purpose as a site-local subnet. But this /64 net may get access to the >>>>> Internet *if* allowed by the firewall. This is not possible with >>>>> site-local at all. And of course, this is without NAT in addition. >>>>> >>>>> I hope this made it a little bit clearer. >>>> Clear as mud. If I understand you correctly, I have to say that IPv6 is >>>> broken by design. I have a double handful of computers on my home >>>> network. Each of them needs access to the Internet to get updates to the >>>> OS and various applications. However, I do *NOT* want each and every one >>>> of them to show up as a unique address outside of my network. With IP4 >>>> and m0n0wall running as the NAT, they are all translated to the single >>>> IP address that Roadrunner assigned to my Firewall. I need to continue >>>> that mapping. If IPv6 cannot do that, then I hope Time-Warner continues >>>> to ignore it and stays with their current address structure. >>>> >>>> Bob McConnell >>>> N2SPP >>> >>> IPv6 is not broken by design. NAT was implemented to extend the time >>> until IPv4 exhaustion. A side effect was hiding the internal IPv4 >>> address, which complicates a number of protocols like FTP and SIP. The >>> only downside I see is ISPs could try and charge based on the number >>> of IPv6 addresses being used. >> >> No, the downside is that each address used will be exposed to the world. >> I consider that a serious security flaw. Having my ISP know how many >> computers I have is a minor issue covered by the contract I have with >> them. But having all of those addresses exposed to Russian mobsters, >> terrorists, crackers and everyone else that knows how to capture packets >> is another matter altogether. If IPv6 exposes that information to the >> world, it is definitely unsafe to use. > > The data is already exposed with IPv4, but it just looks to originate > from one place. With an IPv6 firewall blocking all incoming traffic > you have the same security as IPv4 with NAT. The data is still > exposed, it just comes from multiple places now. Plus with the > trillions of addresses available it becomes much harder to just brute > force attack a range of IPs. > > Interestingly enough Windows went one step ahead and chooses a random > IPv6 address instead of basing it on the MAC address. The address > changes over time making it harder to track your usage to a single > computer. That's why ipv6 privacy extensions have been developed - to randomize the ethernet address.