Re: IPV4 is nearly depleted, are you ready for IPV6?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell <rmcconne@xxxxxxxxxxxxx> wrote:
> Ryan Wagoner wrote:
>> On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell <rmcconne@xxxxxxxxxxxxx> wrote:
>>> David Sommerseth wrote:
>>>> On 06/12/10 15:29, Todd Rinaldo wrote:
>>>>> On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
>>>>>
>>>>>> On 05/12/10 14:21, Tom H wrote:
>>>>>>> On Sun, Dec 5, 2010 at 8:13 AM, RedShift <redshift@xxxxxxxxxx> wrote:
>>>>>>>> On 12/05/10 12:50, Rudi Ahlers wrote:
>>>>>>>>> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm),
>>>>>>>> Haven't switched yet, I have IPv6 at home using sixxs.
>>>>>>>>
>>>>>>>> I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6?
>>>>>>> I think that site-local ("fec0:: - fef::") is the ipv6
>>>>>>> more-or-less-equivalent of ipv4 private addresses.
>>>>>> Yes, that's correct and it is deprecated.
>>>>>> <http://www.ietf.org/rfc/rfc3879.txt>
>>>>>>
>>>>>> With IPv6 there is plenty of addresses for everyone so you basically use
>>>>>> your own assigned official IPv6 address space and setup your own private
>>>>>> /64 net and block that subnet in your firewalls.
>>>>>>
>>>>>> Another thing, there is no NAT and it will not be implemented as we know
>>>>>> it in IPv4.  To call NAT a security feature is also a faulty
>>>>>> understanding.  As NAT only prevents access from outside to some
>>>>>> computer inside a network which is NAT'ed.  This restriction and
>>>>>> filtering is the task of the firewall anyway, which does the NAT anyway.
>>>>>>
>>>>>> NAT basically just breaks a lot of protocols and enforces complex
>>>>>> firewalls which needs to understand a lot of different protocols to be
>>>>>> able to do things correctly.  Which often do not work as well as it could.
>>>>>>
>>>>> I've heard this before but It's always confused me. Admittedly I
>>>>> haven't had a chance to look at the spec. If we're saying that
>>>>> everyone's going to have the same private subnet, then we're saying
>>>>> that all the private subnets are going to have to be NAT-ed
>>>>> aren't they?
>>>> This can be a bit confusing, especially if you see this with "IPv4
>>>> eyes".  In IPv6, it basically is no such things as a private subnet (range).
>>>>
>>>> When you contact your ISP to get a IPv6 subnet, they will most probably
>>>> give you a /48 network.  That means you will have a IPv6 prefix which is
>>>> unique.  That is a reference to all _your_ IPv6 networks.
>>>>
>>>> Then you will normally segment this /48 subnet into more /64 networks.
>>>> A /48 subnet gives you 65536 /64 networks.  So the IPv6 prefix will be
>>>> something like:
>>>>
>>>>    aaaa:aaaa:aaaa:bbbb::/64
>>>>
>>>> the 'aaaa:aaaa:aaaa' part is the prefix your ISP will provide you, and
>>>> this is the first 48bits of the IPv6 address.  The 'bbbb' part is up to
>>>> you to decide what will be, and that's the next 16 bits of the address
>>>> scope.  So 48 + 16 = 64 bits.   And 2^16 = 65536.
>>>>
>>>> And this is all you need to know about IPv6 addressing.  Really!  That's
>>>> it.  No network addresses, no broadcast addresses.  Just pure usable
>>>> IPv6 addresses.
>>>>
>>>> (You may of course make even more subnets below /64, but that's usually
>>>> not recommended at - especially with auto-configured networks)
>>>>
>>>> So then ... the next phase.  As everyone who gets a /48 nets should have
>>>> it flexible enough to setup private networks, the firewall just needs to
>>>> block completely in-going traffic to a /64 net defined by the admins as
>>>> private.  It can further be decided if this /64 net should have access
>>>> to IPv6 addresses outside this local network.  Again this is just a
>>>> firewall rule and nothing more - allow or reject/drop.
>>>>
>>>> And then, the former proposed site-local subnet makes pretty much no
>>>> sense, as IPv6 does not support NAT.  As this network would not be able
>>>> to communicate across a router/firewall.  This subnet (fec0:: - fef::)
>>>> should not be routed anywhere.  And without NAT, it can't escape the
>>>> subnet at all anyway.
>>>>
>>>> So, spending one or two or 100s /64 subnets with public IPv6 addresses
>>>> which is completely blocked in a firewall will serve exactly the same
>>>> purpose as a site-local subnet.  But this /64 net may get access to the
>>>> Internet *if* allowed by the firewall.  This is not possible with
>>>> site-local at all.  And of course, this is without NAT in addition.
>>>>
>>>> I hope this made it a little bit clearer.
>>> Clear as mud. If I understand you correctly, I have to say that IPv6 is
>>> broken by design. I have a double handful of computers on my home
>>> network. Each of them needs access to the Internet to get updates to the
>>> OS and various applications. However, I do *NOT* want each and every one
>>> of them to show up as a unique address outside of my network. With IP4
>>> and m0n0wall running as the NAT, they are all translated to the single
>>> IP address that Roadrunner assigned to my Firewall. I need to continue
>>> that mapping. If IPv6 cannot do that, then I hope Time-Warner continues
>>> to ignore it and stays with their current address structure.
>>>
>>> Bob McConnell
>>> N2SPP
>>
>> IPv6 is not broken by design. NAT was implemented to extend the time
>> until IPv4 exhaustion. A side effect was hiding the internal IPv4
>> address, which complicates a number of protocols like FTP and SIP. The
>> only downside I see is ISPs could try and charge based on the number
>> of IPv6 addresses being used.
>
> No, the downside is that each address used will be exposed to the world.
> I consider that a serious security flaw. Having my ISP know how many
> computers I have is a minor issue covered by the contract I have with
> them. But having all of those addresses exposed to Russian mobsters,
> terrorists, crackers and everyone else that knows how to capture packets
> is another matter altogether. If IPv6 exposes that information to the
> world, it is definitely unsafe to use.
>
> Bob McConnell
> N2SPP

The data is already exposed with IPv4, but it just looks to originate
from one place. With an IPv6 firewall blocking all incoming traffic
you have the same security as IPv4 with NAT. The data is still
exposed, it just comes from multiple places now. Plus with the
trillions of addresses available it becomes much harder to just brute
force attack a range of IPs.

Interestingly enough Windows went one step ahead and chooses a random
IPv6 address instead of basing it on the MAC address. The address
changes over time making it harder to track your usage to a single
computer.

Ryan
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux