fryers at gmail.com
Thu Mar 10 01:15:51 UTC 2011
On 10 March 2011 03:05, Simon Iremonger (wiltslug)
<wiltslug at iremonger.me.uk> wrote:
>> So, from a home user point of view, does this mean that NAT and port
>> forwarding at the broadband router is gone with IPV6?
> NAT is generally considered a kludge to keep IPv4 going......
NAT is also not generally considered to provide any real security. It
is known to provide *some*, but should not be considered a replacement
for a real firewall.
>> How will this work for someone (like me) who has a single dynamic IP
>> provided by my ISP (Talk Talk) that is essentially the external
>> (internet facing) IP of my ADSL router?
> For time-being that will stay.
> You will also get a /64 (or more) of IPv6 address usually.
To add. What you are really getting from your ISP is a subnet, with a
range of one IP in the IPV4 space. The change will be to get a larger
subnet in the IPv6 range.
> Increasingly people won't actually get "real" IPv4 addresses on the WAN.
> These will become an 'extra' of sorts, I think.
>> the router takes care of which port goes to which server for me.
> With IPv6, you can still setup that kind of 'forwarding' with load
> balancer equipment etc. but you really don't need any of that.
> If you want to give your hosts a fixed-IPv6-address you can just
> give them ips like prefix::2 and prefix::3 where prefix: is
> the prefix for your /64 subnet e.g. if your ISP provide you
> 2001:8b0:ffe:0::/64 then you can setup 2001:8b0:ffe::2 as a server.
> If, you are concerned about 'renumbering' your servers as move a
> service (you think portforward), that isn't a problem either.
> All you do.. is give your hosts a 'host' IPv6 address, and also,
> additionally, an IPv6 address for a 'service' they host.
> Then, you con 'move' the service IPv6 address to another host
> without changing host numbering.
Each of the servers on your subnet will have their own IP number. Port
forwarding is essentially redundant and unnecessary.
>> As a "noddy" home user paying £x/per month for a broadband service would
>> I expect to automatically get multiple IPV6 addresses from my ISP to
>> allow me to do this - one for each computer for example?
> Minimum is a /64 -- with 64bits left for host-ID, this is required
> for the 'autoconfig' IP addresses.
> This allows for about 18446744073709551616 devices.
> Often an ISP will supply /60 /56 /52 or /48 to allow you to setup
> more than one subnet etc.
> An ISP would be hard-pressed to supply you with "less" than 2^64 IPs.
>> only the broadband router having an internet facing address.
> No, those days are gone with IPv6.
> BUT the days of having a "real IPv4" address on all customer
> WANs *are* to go! There aren't enough....
>> Are there really that many addresses in IPV6 that they can
>> give a unique one to every device in the world?
> More like every atom on the surface of the earth, apparently.
I am not quite sure if the number extends to every atom on the surface
of the earth, but in the late 90's when I first started reading about
this, they were quoting thousands per square meter of the earths
>> Does this also mean that we are going to need firewalls on all
>> our computers from now on?
> If the hosts aren't safe anyway, that is a bad thing!
Simon is quite right here. You won't *need* to have a firewall but it
would be a good idea. Of course, trusting inetd, only started trusted
demons that are required, and trusting the network code in the kernel
goes a long way.
> Stateful IPv6 firewall in computer, may be sensible for many.
> Stateful IPv6 firewall in router, also available option!!!
Many moons ago in the late 90s, early 00s, when NAT was quite a new
concept, only the geeks were able to get it running, generally on
specific boxes... It was a few years before NAT in a box became
available. I suspect that in due course, the ISPs will be doing IPV6
firewall in a box, essentially with a block all external incoming
connections, and open ports manually as required. And, as time
progresses, I expect to see the obligatory number of rooted Linux and
windows boxes broadcasting spam and DOS attacks over the IPv6 network.
I fail to see why there is all this worry about IPv6. Last time I
looked (approx 2002) there were plenty of primers and tutorials on the
IPv4 interweb. Most of the OS's I am concerned about (OpenBSD, Tru64)
have been supporting IPv6 for the last 10 years or so. Everything
else (DomainOS, StarOS) will happy sit behind firewall and
dedicated gateway, if only to convert 10Base2 Ethernet to something
 SunOS 4.1.1 clone, to run on a Star 910 computing server.
"Well, an engineer is not concerned with the truth; that is left to
philosophers and theologians: the prime concern of an engineer is
the utility of the final product."
Lectures on the Electrical Properties of Materials, L.Solymar, D.Walsh
More information about the Wiltshire