[AusNOG] Globally Routed IPv6 and Windows Firewall

Mark ZZZ Smith markzzzsmith at yahoo.com.au
Tue Jul 29 07:07:37 EST 2014






>________________________________
> From: Glen Turner <gdt at gdt.id.au>
>To: Greg Anderson <ganderson at raywhite.com> 
>Cc: ausnog at lists.ausnog.net 
>Sent: Saturday, 26 July 2014 9:32 PM
>Subject: Re: [AusNOG] Globally Routed IPv6 and Windows Firewall
> 
>
>> I am exposing myself to IPv6 in a personal fashion as I do not have any
>> other avenues. I cannot afford high end gear to do this.
>
>You don't need high-end gear to learn about IPv6. For example, my service 
>at home quite happily runs global IPv6 via a cheap USB ADSL modem, a 
>RaspberryPi, and a $11 fast ethernet switch:
>
>http://vk5tu.livejournal.com/37206.html
>
>Of course I could have bought all of that in one box, but building your 
>own router is a good way to learn about IPv6.
>

I agree with Glen, the only thing high end hardware will get you is high end throughput, and you don't need that when learning a protocol.

I first ran IPv6 back in 1999 between a couple of PCs at home, learning about SLAAC and RAs using radvd (http://www.litech.org/radvd/).

It is also possible to build more complicated networks between Linux hosts once Linux supported VLAN tags - it is common that most VLAN tag unaware switches will forward VLAN tagged frames, so it is possible to create more complicated topologies using virtual links using different VLANs between two or more Linux boxes. Freely available routing software such as gated or zebra/quagga have support IPv6 for quite a long time.

These days it is getting even easier to simulate complicated networks using virtualisation - and the gobs of RAM and CPU that even laptops have these days. I know a number of people who have simulated either their production network or performed network testing for Internet scale routing using network virtualisation.




>You'll notice the configuration has deep-packet inspection and statefull 
>firewalling for incoming IPv6 connections. This gives the same 
>"protection" as deep-packet inspection and network address translation for 
>IPv4. [1]
>
>There has been considerable thought to the archiecture and security of 
>home networks using IPv6. This draft from the IETF
>http://tools.ietf.org/html/draft-ietf-homenet-arch-16
>outlines the current approaches and issues.
>
>Best wishes, glen
>
>[1] Quotes around "protection" because in the end the network is the wrong 
>place to be implementing most security. For example, stateful inspection 
>-- either by firewall or NAT -- is easily defeated by "exfiltration"-style 
>attacks which open a connection from the inside to the outside (eg, by 
>exploiting a flaw in a web browser). Security isn't really much to do with 
>networking protocols, but with access, authorisation and auditing of 
>processes on each host. Unfortunately we've made worse progress in 
>practical implementations of this than almost any other technology in 
>computing, so we're currently having to hack together short-term, never 
>completely satisfactory counter-measures which run on the network.
>
>-- 
>Glen Turner <http://www.gdt.id.au/~gdt/>
>
>
>
>
>_______________________________________________
>AusNOG mailing list
>AusNOG at lists.ausnog.net
>http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>


More information about the AusNOG mailing list