On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell <rmcconne@xxxxxxxxxxxxx> wrote:
> David Sommerseth wrote:
>> On 06/12/10 15:29, Todd Rinaldo wrote:
>>> On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
>>>
>>>> On 05/12/10 14:21, Tom H wrote:
>>>>> On Sun, Dec 5, 2010 at 8:13 AM, RedShift <redshift@xxxxxxxxxx> wrote:
>>>>>> On 12/05/10 12:50, Rudi Ahlers wrote:
>>>>>>> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm),
>>>>>> Haven't switched yet, I have IPv6 at home using sixxs.
>>>>>>
>>>>>> I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
>>>>> I think that site-local ("fec0:: - fef::") is the ipv6
>>>>> more-or-less-equivalent of ipv4 private addresses.
>>>> Yes, that's correct and it is deprecated.
>>>> <http://www.ietf.org/rfc/rfc3879.txt>
>>>>
>>>> With IPv6 there is plenty of addresses for everyone so you basically use
>>>> your own assigned official IPv6 address space and setup your own private
>>>> /64 net and block that subnet in your firewalls.
>>>>
>>>> Another thing, there is no NAT and it will not be implemented as we know
>>>> it in IPv4. To call NAT a security feature is also a faulty
>>>> understanding. As NAT only prevents access from outside to some
>>>> computer inside a network which is NAT'ed. This restriction and
>>>> filtering is the task of the firewall anyway, which does the NAT anyway.
>>>>
>>>> NAT basically just breaks a lot of protocols and enforces complex
>>>> firewalls which needs to understand a lot of different protocols to be
>>>> able to do things correctly. Which often do not work as well as it could.
>>>>
>>> I've heard this before but It's always confused me. Admittedly I
>>> haven't had a chance to look at the spec. If we're saying that
>>> everyone's going to have the same private subnet, then we're saying
>>> that all the private subnets are going to have to be NAT-ed
>>> aren't they?
>>
>> This can be a bit confusing, especially if you see this with "IPv4
>> eyes". In IPv6, it basically is no such things as a private subnet (range).
>>
>> When you contact your ISP to get a IPv6 subnet, they will most probably
>> give you a /48 network. That means you will have a IPv6 prefix which is
>> unique. That is a reference to all _your_ IPv6 networks.
>>
>> Then you will normally segment this /48 subnet into more /64 networks.
>> A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be
>> something like:
>>
>> aaaa:aaaa:aaaa:bbbb::/64
>>
>> the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and
>> this is the first 48bits of the IPv6 address. The 'bbbb' part is up to
>> you to decide what will be, and that's the next 16 bits of the address
>> scope. So 48 + 16 = 64 bits. And 2^16 = 65536.
>>
>> And this is all you need to know about IPv6 addressing. Really! That's
>> it. No network addresses, no broadcast addresses. Just pure usable
>> IPv6 addresses.
>>
>> (You may of course make even more subnets below /64, but that's usually
>> not recommended at - especially with auto-configured networks)
>>
>> So then ... the next phase. As everyone who gets a /48 nets should have
>> it flexible enough to setup private networks, the firewall just needs to
>> block completely in-going traffic to a /64 net defined by the admins as
>> private. It can further be decided if this /64 net should have access
>> to IPv6 addresses outside this local network. Again this is just a
>> firewall rule and nothing more - allow or reject/drop.
>>
>> And then, the former proposed site-local subnet makes pretty much no
>> sense, as IPv6 does not support NAT. As this network would not be able
>> to communicate across a router/firewall. This subnet (fec0:: - fef::)
>> should not be routed anywhere. And without NAT, it can't escape the
>> subnet at all anyway.
>>
>> So, spending one or two or 100s /64 subnets with public IPv6 addresses
>> which is completely blocked in a firewall will serve exactly the same
>> purpose as a site-local subnet. But this /64 net may get access to the
>> Internet *if* allowed by the firewall. This is not possible with
>> site-local at all. And of course, this is without NAT in addition.
>>
>> I hope this made it a little bit clearer.
>
> Clear as mud. If I understand you correctly, I have to say that IPv6 is
> broken by design. I have a double handful of computers on my home
> network. Each of them needs access to the Internet to get updates to the
> OS and various applications. However, I do *NOT* want each and every one
> of them to show up as a unique address outside of my network. With IP4
> and m0n0wall running as the NAT, they are all translated to the single
> IP address that Roadrunner assigned to my Firewall. I need to continue
> that mapping. If IPv6 cannot do that, then I hope Time-Warner continues
> to ignore it and stays with their current address structure.
>
> Bob McConnell
> N2SPP
IPv6 is not broken by design. NAT was implemented to extend the time
until IPv4 exhaustion. A side effect was hiding the internal IPv4
address, which complicates a number of protocols like FTP and SIP. The
only downside I see is ISPs could try and charge based on the number
of IPv6 addresses being used.
Ryan
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
