[CentOS] transition to ip6

Mon Apr 2 14:59:23 UTC 2012
Les Mikesell <lesmikesell at gmail.com>

On Mon, Apr 2, 2012 at 9:39 AM, Peter Eckel <lists at eckel-edv.de> wrote:
>> So what does that mean for a client application (http/ftp,etc.) where
>> you might have local firewalls permitting things for internal-subnet
>> source ranges but you also have external targets that only accept
>> pre-configured static sources?
> Are you referring to the situation where you have several clients on the internal network that use NAT to appear as one single IPv4 host to an external server, which allows access based on that global outside NAT address?

Yes, we have relationships with outside services that require
pre-registering the source addresses that will be used for access.  In
the NAT scenario, these become the public side of the gateways that
might be used - a manageable number, even for a large cluster of
internal hosts.   And we have internal firewalling among subnets based
on the private address ranges of the hosts. I'd assume this is a
common, if not universal situation for organizations.

> The situation is a bit different without NAT. Instead of filtering on a single IPv4 address the external server would filter on a /64 IPv6 network. Security-wise there is no difference as you'll never get smaller allocations than /64 per site anyway, so what with respect to filtering was was a single IPv4 address with IPv4/NAT is a /64 subnet with IPv6: A unique identifier of the network connecting to the external server. Both with IPv4/NAT and IPv6 the server only knows which network you are coming from, not which specific host is trying to connect.
> When there really is a requirement that the external server allows only a single address to access it and that can't be changed, you could resort to using a proxy.

What is typical or reasonable for source address restrictions?   That
is, if  there are 2 global organizations, and one wants to increase
the security on access to a service by limiting to the source
addresses that might come from the other, is there a sane way to
specify it, and to make the application use those addresses at the
right times if the interface has others?

   Les Mikesell
    lesmikesell at gmail.com