[Wiltshire] IPV6

Simon Fryer fryers at gmail.com
Thu Mar 10 01:15:51 UTC 2011


On 10 March 2011 03:05, Simon Iremonger (wiltslug)
<wiltslug at iremonger.me.uk> wrote:
>> So, from a home user point of view, does this mean that NAT and port
>> forwarding at the broadband router is gone with IPV6?
> Correct.
> NAT is generally considered a kludge to keep IPv4 going......

NAT is also not generally considered to provide any real security. It
is known to provide *some*, but should not be considered a replacement
for a real firewall.

>> How will this work for someone (like me) who has a single dynamic IP
>> provided by my ISP (Talk Talk) that is essentially the external
>> (internet facing) IP of my ADSL router?
> For time-being that will stay.
> You will also get a /64 (or more) of IPv6 address usually.

To add. What you are really getting from your ISP is a subnet, with a
range of one IP in the IPV4 space. The change will be to get a larger
subnet in the IPv6 range.

> Increasingly people won't actually get "real" IPv4 addresses on the WAN.
> These will become an 'extra' of sorts, I think.
>> the router takes care of which port goes to which server for me.
> With IPv6, you can still setup that kind of 'forwarding' with load
>  balancer equipment etc.  but you really don't need any of that.
> If you want to give your hosts a fixed-IPv6-address you can just
>  give them ips like  prefix::2 and prefix::3 where prefix: is
>  the prefix for your /64 subnet e.g. if your ISP provide you
>  2001:8b0:ffe:0::/64 then you can setup 2001:8b0:ffe::2 as a server.
> If, you are concerned about 'renumbering' your servers as move a
>  service (you think portforward), that isn't a problem either.
> All you do.. is give your hosts a 'host' IPv6 address, and also,
>  additionally, an IPv6 address for a 'service' they host.
> Then, you con 'move' the service IPv6 address to another host
>  without changing host numbering.

Each of the servers on your subnet will have their own IP number. Port
forwarding is essentially redundant and unnecessary.

>> As a "noddy" home user paying £x/per month for a broadband service would
>> I expect to automatically get multiple IPV6 addresses from my ISP to
>> allow me to do this - one for each computer for example?
> Minimum is a /64 -- with 64bits left for host-ID, this is required
>  for the 'autoconfig' IP addresses.
> This allows for about  18446744073709551616  devices.
> Often an ISP will supply /60 /56 /52 or /48 to allow you to setup
>  more than one subnet etc.
> An ISP would be hard-pressed to supply you with "less" than 2^64 IPs.
>> only the broadband router having an internet facing address.
> No, those days are gone with IPv6.
> BUT the days of having a "real IPv4" address on all customer
>  WANs *are* to go!  There aren't enough....
>> Are there really that many addresses in IPV6 that they can
>> give a unique one to every device in the world?
> More like every atom on the surface of the earth, apparently.

I am not quite sure if the number extends to every atom on the surface
of the earth, but in the late 90's when I first started reading about
this, they were quoting thousands per square meter of the earths

>> Does this also mean that we are going to need firewalls on all
>> our computers from now on?
> If the hosts aren't safe anyway, that is a bad thing!

Simon is quite right here. You won't *need* to have a firewall but it
would be a good idea. Of course, trusting inetd, only started trusted
demons that are required, and trusting the network code in the kernel
goes a long way.

> Stateful IPv6 firewall in computer, may be sensible for many.
> Stateful IPv6 firewall in router, also available option!!!

Many moons ago in the late 90s, early 00s, when NAT was quite a new
concept, only the geeks were able to get it running, generally on
specific boxes... It was a few years before NAT in a box became
available. I suspect that in due course, the ISPs will be doing IPV6
firewall in a box, essentially with a block all external incoming
connections, and open ports manually as required. And, as time
progresses, I expect to see the obligatory number of rooted Linux and
windows boxes broadcasting spam and DOS attacks over the IPv6 network.

I fail to see why there is all this worry about IPv6. Last time I
looked (approx 2002) there were plenty of primers and tutorials on the
IPv4 interweb. Most of the OS's I am concerned about (OpenBSD, Tru64)
have been supporting IPv6 for the last 10 years or so.  Everything
else (DomainOS, StarOS[1]) will happy sit behind firewall and
dedicated gateway, if only to convert 10Base2 Ethernet to something
more modern.

[1] SunOS 4.1.1 clone, to run on a Star 910 computing server.


"Well, an engineer is not concerned with the truth; that is left to
philosophers and theologians: the prime concern of an engineer is
the utility of the final product."
Lectures on the Electrical Properties of Materials, L.Solymar, D.Walsh

More information about the Wiltshire mailing list