[AusNOG] Globally Routed IPv6 and Windows Firewall

Warren Bold wbold at polyfone.com.au
Tue Jul 29 09:10:45 EST 2014


Alternatively if you have the right IOS image around you can run a network in GNS3 and link virtual box hosts in.

Kind regards

Warren Bold

-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Mark ZZZ Smith
Sent: Tuesday, 29 July 2014 7:08 AM
To: Glen Turner; Greg Anderson
Cc: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Globally Routed IPv6 and Windows Firewall






>________________________________
> From: Glen Turner <gdt at gdt.id.au>
>To: Greg Anderson <ganderson at raywhite.com> 
>Cc: ausnog at lists.ausnog.net 
>Sent: Saturday, 26 July 2014 9:32 PM
>Subject: Re: [AusNOG] Globally Routed IPv6 and Windows Firewall
> 
>
>> I am exposing myself to IPv6 in a personal fashion as I do not have any
>> other avenues. I cannot afford high end gear to do this.
>
>You don't need high-end gear to learn about IPv6. For example, my service 
>at home quite happily runs global IPv6 via a cheap USB ADSL modem, a 
>RaspberryPi, and a $11 fast ethernet switch:
>
>http://vk5tu.livejournal.com/37206.html
>
>Of course I could have bought all of that in one box, but building your 
>own router is a good way to learn about IPv6.
>

I agree with Glen, the only thing high end hardware will get you is high end throughput, and you don't need that when learning a protocol.

I first ran IPv6 back in 1999 between a couple of PCs at home, learning about SLAAC and RAs using radvd (http://www.litech.org/radvd/).

It is also possible to build more complicated networks between Linux hosts once Linux supported VLAN tags - it is common that most VLAN tag unaware switches will forward VLAN tagged frames, so it is possible to create more complicated topologies using virtual links using different VLANs between two or more Linux boxes. Freely available routing software such as gated or zebra/quagga have support IPv6 for quite a long time.

These days it is getting even easier to simulate complicated networks using virtualisation - and the gobs of RAM and CPU that even laptops have these days. I know a number of people who have simulated either their production network or performed network testing for Internet scale routing using network virtualisation.




>You'll notice the configuration has deep-packet inspection and statefull 
>firewalling for incoming IPv6 connections. This gives the same 
>"protection" as deep-packet inspection and network address translation for 
>IPv4. [1]
>
>There has been considerable thought to the archiecture and security of 
>home networks using IPv6. This draft from the IETF
>http://tools.ietf.org/html/draft-ietf-homenet-arch-16
>outlines the current approaches and issues.
>
>Best wishes, glen
>
>[1] Quotes around "protection" because in the end the network is the wrong 
>place to be implementing most security. For example, stateful inspection 
>-- either by firewall or NAT -- is easily defeated by "exfiltration"-style 
>attacks which open a connection from the inside to the outside (eg, by 
>exploiting a flaw in a web browser). Security isn't really much to do with 
>networking protocols, but with access, authorisation and auditing of 
>processes on each host. Unfortunately we've made worse progress in 
>practical implementations of this than almost any other technology in 
>computing, so we're currently having to hack together short-term, never 
>completely satisfactory counter-measures which run on the network.
>
>-- 
>Glen Turner <http://www.gdt.id.au/~gdt/>
>
>
>
>
>_______________________________________________
>AusNOG mailing list
>AusNOG at lists.ausnog.net
>http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list