[AusNOG] FW: [Ap-ipv6tf] official shutdown date for IPv4. The date he is pushing for is April 4, 2024. "IPv4 can't go on forever, " Latour said. "

Paul van den Bergen paul.vandenbergen at gmail.com
Thu Nov 6 11:47:41 EST 2014


Hi folks,

I thought my understanding of IPv6 versus IPv4 would be stale and out of
date and have been reluctant to expound further since this is in effect an
email list for network experts....

This discussion on NAT has disavowed me of that. Clearly there is a big
gulf in understanding of what IPv6 is like and it's capacities.


So allow me to provide a short potted version - that may be wrong, since
it's been a decade or so since I last looked at it in detail...


IPv6 first creates a link local IP address that is routable within the
local broadcast domain, and asks for the details of the local router
configuration. Think of this as creating your own automatic private address
(aka IPv4 private address). This will always be unique, given the size of
the address space and will never route outside the broadcast domain.

Right there you have everything that a private network needs. In addition,
all comms on the network are IPSEC secured.

If your network needs to connect to other networks - local or external -
the router will tell you the network address range - and you will assign
yourself an address in that range... Now you are routable outside your
network and indeed theoretically to the entire internet.

This is where everyone seems to panic. But it's no different to having an
external IPv4:port pair NAT reachable address, except now the device
doesn't need to do anything - if the traffic is allowed through the
firewall to that address it gets through. Exactly the same as a NAT
firewall rule - allowed? yes, Not allowed? no.

and all that external traffic is IPSEC secured too - no snooping, no man in
the middle, etc. - without you doing ANYTHING.

Now your device has 2 addresses. one local and one global. How you set your
firewall up depends entirely and only on what services you want to allow
into your network... Only now it's much easier, because you don't have to
worry about translating addresses, configuring different ports to the
standard set, running out of your NAT pool, leaking internal addresses to
external networks, or ANYTHING that plagues firewall configuration now. Did
I mention your processor load on your firewall is decreased? that too.


Sorry if I sound a bit harsh, but frankly, the reason IPv6 isn't supported
in industry is because you don't understand it, not because it's not good.


And yes, I am in a grumpy mood today - why, is it showing?








On Thu, Nov 6, 2014 at 11:05 AM, Mark Newton <newton at atdot.dotat.org> wrote:

>
> On Nov 6, 2014, at 9:12 AM, Nathanael Bettridge <nathanael at prodigy.com.au>
> wrote:
>
> > I like and regularly use the ability to remap ports between disparate
> machines or to different ports transparently, without having to use a port
> proxy.
> > I like and regularly use the ability to present an arbitrary number of
> addresses as one to another network, or map between different address
> structures.
>
> I like and regularly use networks which keep concentrations of state on
> the edge.
>
> (why do you even care about ports? Oh, substandard application
> architecture which forces you to micromanage 16 bit numbers. Never mind,
> carry on…)
>
> > These are really handy tools to have to solve problems.
>
> They’re also really handy tools to turn yourself into a DoS-magnet.
>
> An important plank of security is “availability.”  You’re reducing that
> every time you put another bit of state in your core. These people who
> claim that NAT is helping their security seem to have a somewhat more
> limited view of “security” than the commonly accepted one that network
> professionals strive to attain.
>
>   - mark
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>



-- 
Dr Paul van den Bergen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20141106/80f890e5/attachment-0001.html>


More information about the AusNOG mailing list