<div dir="ltr">What I do (and we do at work) is run stateful firewalling on the home/office router, and don't allow inbound traffic on v6 unless it's for an established session. Same as we did all those years ago when our homes/offices had a public /24 (We all had that at home right? ;) ). It's certainly not a new problem :)<div>
<br></div><div>Cheers,</div><div><br>DG</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 25 July 2014 13:11, Greg Anderson <span dir="ltr"><<a href="mailto:ganderson@raywhite.com" target="_blank">ganderson@raywhite.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Good day Ladies and Gentlemen!<div><br></div><div>I had a quick question because try as I might, anybody I have asked this question to so far (and Google) have been unable to answer the question for me.</div>
<div><br></div><div>With the deployment of a dual stack IPv6 solution either in a corporate or residential environment, I expect most users would have a single NIC in most cases.</div><div><br></div><div>For Windows firewall, IPv4 addresses in common cases are not globally routed addresses that often have less restrictive firewall rules and services running on them (EG SNMP, File/Printer sharing, RDP, Homegroup etc). In these cases, some would often use "Domain" or "Private" firewall profiles on these NIC's.</div>
<div><br></div><div>With the deployments of IPv6, they will also have local link IPv6 addresses (fine as they are not globally routed either obviously), and at some point many will have a globally routed IPv6 address. So this means, for a given NIC, you will now have:</div>
<div><br></div><div>- IPv4 Reserved address for Private local networking</div><div><div>- IPv6 Reserved address for Private local networking</div><div>- IPv6 Globally routed address (and possibly a second temporary address)</div>
<div><br></div><div>Suddenly when the deployment of Globally routed IPv6 addresses happen: because the NIC has a private profile there is suddenly private services exposed to the Internet. (Let's put our tin foil hat on and ignore the difficulties of brute force scanning an IPv6 subnet).</div>
<div><br></div><div>Option 1 is obvious - change your NIC's network type to public, and if you don't want everything to break reconfigure all your rules to permit traffic only from local link addresses (IE - a real pain in the _)</div>
<div><br></div><div>Is there an option 2? Ideally, I would like the public ranges to be automatically detected (or specifically reconfigurable) as a globally routed IP address range and therefore to be able to apply multiple profiles (Public and Private/Domain) to a single NIC.</div>
<div><br></div><div>I am considering this from a residential dumb end user perspective as well as enterprise - so whilst I would like a technical solution (and I am aware those of us smart enough can still firewall at the edge just like we do today) - many residential users will not have these skills - they are likely to really open themselves up. So I am interested to see if I am missing something very obvious...</div>
<div><br></div><div>Thoughts?</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>- Greg</div>
</font></span></div></div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">
<p>Damien Gardner Jnr<br>VK2TDG. Dip EE. GradIEAust<br><a href="mailto:rendrag@rendrag.net" target="_blank">rendrag@rendrag.net</a> - <span><a href="http://www.rendrag.net/" target="_blank">http://www.rendrag.net/</a><u><br>
</u></span>--<br>We rode on the winds of the rising storm,<br> We ran to the sounds of thunder.<br>We danced among the lightning bolts,<br> and tore the world asunder</p></div>
</div>