[GRLUG] IPv6: My views

Michael Mol mikemol at gmail.com
Fri Jun 8 16:34:36 EDT 2012 

On Fri, Jun 8, 2012 at 4:11 PM, L. V. Lammert <lvl at omnitec.net> wrote:
>
> On Fri, 8 Jun 2012, detrix42 at gmail.com wrote:
>
>>      Because every device on this planet can now have its own IP address,
>> there is no NAT.
>>
> Huh? First I had heard that NAT goes away with IPv6! Can you confirm?

You *can* NAT if you have a compelling need to, but the easiest
solution is to simply join the regular globally-addressable address
range.
>
>> Which is a small security issue.
>>
> Au contrare - that's a BIG security issue! There is absolutely no reason
> to suddenly put millions of fragile Windoze machines on publically
> addressible IPs! Talk about script kittie nirvana!

That's what firewalls are for. Your average IPv6-ready CPE will come
with stateful firewalls that only allow outbound traffic unless you
tell it otherwise.

Alternatives to NAT include:

* Firewalls. Windows XPSP2 and above have come with decent firewall
products built-in; you simply need to not turn them off. In the Linux
world, there's ufw, firelholv6 and fwbuilder, among (probably) others.
These ease the setting up of IPv6 firewall rules along side your IPv4
firewall rules.
* HTTP proxies, such as Squid and Varnish. If your devices all make
their outbound connections via an HTTP proxy, the remote server need
never know the source IP address.
* Other application-layer proxies. For HTTP and SIP, you have
application-specific proxies available to you for routing data through
a common node.

Other mitigating factors:
* The address space is *huge*. You have sixteen billion billion
addresses in a /64; that's four billion times the size of the entire
Internet. That's difficult for a script kiddie to reliably scan from
outside your network. (If they're already inside your network, things
get easier, but it's still not a cakewalk.)
* IPv6 Privacy Extensions. IPv6 privacy extensions (which Windows
Vista and above enable by default) use short-lived connections for
outbound traffic, making the window for someone to hit them back very,
very short. Meanwhile, they maintain a static address which you can
use if you need to reliably address them.

If you really, *really* need it, you can do NAT in IPv6. This is
widely considered to be a bad idea. The *only* justifying case I've
heard where NAT was preferred over an application-layer gateway like
squid was where the performance hit of passing through Squid was
intolerable.

-- 
:wq

More information about the grlug mailing list