[opensuse] Practicalities of IPv6
Rather than hijacking Robert Days thread, I thought I'd start a separate one on the practicalities of IPv6: Co-existence: if someone were to go IPv6-only, how is access for IPv4-only clients achieved? Ie. if I move to an IPv6-only network, how do IPv4-only clients deal with it? Do I need to do anything? Dual-stack on ADSL - is it possible to have IPv4 and IPv6 on the same ADSL line? (ignoring whether or not a supplier would support it). Hardware - does anyone want to recommend an ADSL router with IPv6 support? We've been using Zyxel for the last five years, and I've been looking at Zyxels 662, but I've grown a little wary of Zyxel (support in particular). A new router would require solid IPv6 support plus SNMP and syslog ditto. /Per -- Per Jessen, Zürich (5.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
Rather than hijacking Robert Days thread, I thought I'd start a separate one on the practicalities of IPv6:
Co-existence: if someone were to go IPv6-only, how is access for IPv4-only clients achieved? Ie. if I move to an IPv6-only network, how do IPv4-only clients deal with it? Do I need to do anything?
Dual-stack on ADSL - is it possible to have IPv4 and IPv6 on the same ADSL line? (ignoring whether or not a supplier would support it).
Hardware - does anyone want to recommend an ADSL router with IPv6 support? We've been using Zyxel for the last five years, and I've been looking at Zyxels 662, but I've grown a little wary of Zyxel (support in particular). A new router would require solid IPv6 support plus SNMP and syslog ditto.
/Per
I don't recall the details and it's been quite a while since I read about it, but there is an IPv6 address range that's reserved for mapping directly to IPv4 addresses. ADSL in these parts is provided by running PPPoE, that is Peer to Peer Protocol over Ethernet. PPP & Ethernet can both handle whatever packets you throw at them, as they're level 2 protocols, so ADSL should have no problem, in theory, with handling IPv6. Of course there's always the software within the ADSL modem and DSLAM to worry about, as well as any routers beyond them. As I mentioned earlier, tunneling can be used to bypass any IPv4 link. BTW, there's some info on IPv6 on the Linux Documentation Project site. http://tldp.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Per Jessen wrote:
Rather than hijacking Robert Days thread, I thought I'd start a separate one on the practicalities of IPv6:
Co-existence: if someone were to go IPv6-only, how is access for IPv4-only clients achieved? Ie. if I move to an IPv6-only network, how do IPv4-only clients deal with it? Do I need to do anything?
Dual-stack on ADSL - is it possible to have IPv4 and IPv6 on the same ADSL line? (ignoring whether or not a supplier would support it).
Hardware - does anyone want to recommend an ADSL router with IPv6 support? We've been using Zyxel for the last five years, and I've been looking at Zyxels 662, but I've grown a little wary of Zyxel (support in particular). A new router would require solid IPv6 support plus SNMP and syslog ditto.
/Per
I don't recall the details and it's been quite a while since I read about it, but there is an IPv6 address range that's reserved for mapping directly to IPv4 addresses.
Isn't that the other way around - for mapping IPv4 (in)to IPv6 ?
ADSL in these parts is provided by running PPPoE, that is Peer to Peer Protocol over Ethernet. PPP & Ethernet can both handle whatever packets you throw at them, as they're level 2 protocols, so ADSL should have no problem, in theory, with handling IPv6. Of course there's always the software within the ADSL modem and DSLAM to worry about, as well as any routers beyond them.
Yeah, I was asking/worried about the entire path, not just the PPPoE level. The issue is that anyone migrating to IPv6 would want to have a period of time with 4/6 coexistence, and if that could be achieved without having to have a dual ADSL setup, so much the better.
As I mentioned earlier, tunneling can be used to bypass any IPv4 link.
Yes, but in in a complete migration to IPv6, that's only a small step on the way, and the tunnels (as currently provided) are not intended for high volume (to my knowledge anyway). /Per -- Per Jessen, Zürich (4.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I don't recall the details and it's been quite a while since I read about it, but there is an IPv6 address range that's reserved for mapping directly to IPv4 addresses.
Isn't that the other way around - for mapping IPv4 (in)to IPv6 ?
In a nutshell, your IPv4 address forms part of the prefix in your IPv6 addresses. The first group is 2002, the second and 3rd is your IPv4 address, the 4th is totally up to you, and the rest is also totally up to you, but typically used for autoconfiguration. each of the dotted quad in an IPv4 address is a 8 bit quantity, which when converted to hex is a value in the range 00-ff, so if your IP address was 192.168.23.45, then the IPv6 equivalent would be 2002:c0a8:172d:xxxx:yyyy:yyyy:yyyy:yyyy (xxxx and yyyy being up to you, etc) This gives each IPv4 address 2^80 usable addresses, and if you use the last 64 bits for autoconfig, then you still have 2^16 (65536) subnets of 2^64 each. You could use autoconfig on some of those, and not on others. In any case, it's a crap load of addresses, and if you happen to need more, well, this is just what is available to the IPv4 space! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 18/10/09 19:02, Per Jessen wrote:
Rather than hijacking Robert Days thread, I thought I'd start a separate one on the practicalities of IPv6:
Co-existence: if someone were to go IPv6-only, how is access for IPv4-only clients achieved? Ie. if I move to an IPv6-only network, how do IPv4-only clients deal with it? Do I need to do anything?
My web-server is IPv6-only. I provide a fallback to an IPv4 web proxy, and same for e-mail. However, if your DNS servers are only IPv6-accessible, then none of your services will be available to clients that do not have access to an IPv6-connected caching/recursive DNS server (i.e. a huge majority of the current internet).
Dual-stack on ADSL - is it possible to have IPv4 and IPv6 on the same ADSL line? (ignoring whether or not a supplier would support it).
Yes, there are some ISPs in Europe that provide a dual-stack service. A&A in the UK comes to mind. Sadly here in Denmark IPv6 has yet to make any impact, even with FTTH providers. Your alternatives are 6to4, Teredo and a tunnel (6in4, AYIYA or some other VPN). Two of the best known IPv6 tunnel providers are Hurricane Electric and SixXS. P.S. I have compiled a list of all-known (I hope!) Google IPv6 addresses - http://go.chaz6.com/841. Normally these are only available if your DNS server is on their whitelist. Sadly none of their DNS servers are IPv6-accessible. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2009-10-18 at 19:02 +0200, Per Jessen wrote:
Hardware - does anyone want to recommend an ADSL router with IPv6 support? We've been using Zyxel for the last five years, and I've been looking at Zyxels 662, but I've grown a little wary of Zyxel (support in particular). A new router would require solid IPv6 support plus SNMP and syslog ditto.
afaicr,was the latest Fritz-router 7270 (both annex-A and annex-B) capable of doing ipv6 (download firmware from fritz) hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Chris Hills wrote:
On 18/10/09 19:02, Per Jessen wrote:
Rather than hijacking Robert Days thread, I thought I'd start a separate one on the practicalities of IPv6:
Co-existence: if someone were to go IPv6-only, how is access for IPv4-only clients achieved? Ie. if I move to an IPv6-only network, how do IPv4-only clients deal with it? Do I need to do anything?
My web-server is IPv6-only. I provide a fallback to an IPv4 web proxy, and same for e-mail. However, if your DNS servers are only IPv6-accessible, then none of your services will be available to clients that do not have access to an IPv6-connected caching/recursive DNS server (i.e. a huge majority of the current internet).
Right, so running both IPv4 and IPv6 will be required for quite a while, if not forever.
Dual-stack on ADSL - is it possible to have IPv4 and IPv6 on the same ADSL line? (ignoring whether or not a supplier would support it).
Yes, there are some ISPs in Europe that provide a dual-stack service. A&A in the UK comes to mind. Sadly here in Denmark IPv6 has yet to make any impact, even with FTTH providers.
IPv6 has yet to make much impact anywhere. Who is A&A? I'm sure they won't be available in Switzerland, but their site might give me some hints wrt hardware for instance. /Per -- Per Jessen, Zürich (3.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2009-10-19 at 01:16 +0200, Hans Witvliet wrote:
On Sun, 2009-10-18 at 19:02 +0200, Per Jessen wrote:
Hardware - does anyone want to recommend an ADSL router with IPv6 support? We've been using Zyxel for the last five years, and I've been looking at Zyxels 662, but I've grown a little wary of Zyxel (support in particular). A new router would require solid IPv6 support plus SNMP and syslog ditto. afaicr,was the latest Fritz-router 7270 (both annex-A and annex-B) capable of doing ipv6 (download firmware from fritz)
I don't know anything specific concerning ADSL routers. The Cisco 8xx series should certainly work. But cable modems should be OK; DOCSIS 3.0 supports IPv6 and some late DOCSIS 2.0 modems might as well. Comcast [USA] has announced it will begin rolling out residential IPv6 in 2010l. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2009-10-19 at 05:54 -0400, Adam Tauno Williams wrote:
On Mon, 2009-10-19 at 01:16 +0200, Hans Witvliet wrote:
On Sun, 2009-10-18 at 19:02 +0200, Per Jessen wrote:
Hardware - does anyone want to recommend an ADSL router with IPv6 support? We've been using Zyxel for the last five years, and I've been looking at Zyxels 662, but I've grown a little wary of Zyxel (support in particular). A new router would require solid IPv6 support plus SNMP and syslog ditto. afaicr,was the latest Fritz-router 7270 (both annex-A and annex-B) capable of doing ipv6 (download firmware from fritz) I don't know anything specific concerning ADSL routers. The Cisco 8xx series should certainly work. But cable modems should be OK; DOCSIS 3.0 supports IPv6 and some late DOCSIS 2.0 modems might as well. Comcast [USA] has announced it will begin rolling out residential IPv6 in 2010l.
2010, not 20101. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
IPv6 has yet to make much impact anywhere.
IIRC, it is common in Asia, where there are simply not enough IPv4 addresses available. Also, as I mentioned in another note, I read, not too long ago, the U.S. government announced that IPv6 would be required going forward. It is coming, just not as fast as it should be. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, Oct 19, 2009 at 12:55, James Knott
Adam Tauno Williams wrote:
Comcast [USA] has announced it will begin rolling out residential IPv6 in 2010l.
I expect we'll all be long gone by 20101! ;-) <pedant> Adam aktually wrote 2010l as in 2010 ell not 20101 ;-)) </pedant>
ne... -- Registered Linux User # 125653 (http://counter.li.org) Now accepting personal mail for GMail invites. Samuel Goldwyn - "I'm willing to admit that I may not always be right, but I am never wrong." - http://www.brainyquote.com/quotes/authors/s/samuel_goldwyn.html -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
On Sun, 2009-10-18 at 19:02 +0200, Per Jessen wrote:
Hardware - does anyone want to recommend an ADSL router with IPv6 support? We've been using Zyxel for the last five years, and I've been looking at Zyxels 662, but I've grown a little wary of Zyxel (support in particular). A new router would require solid IPv6 support plus SNMP and syslog ditto.
afaicr,was the latest Fritz-router 7270 (both annex-A and annex-B) capable of doing ipv6 (download firmware from fritz)
I've been researching this quite a bit today, and have yet to find a manufacturer which explicitly lists IPv6 support. During some more googling, I came across a suggestion of simply running the ADSL router in bridge mode, and leaving all the IP handling to the next system, i.e. a firewall/gateway box. This sounds quite enticing, although it would mean making the firewall/gateway also do the ADSL authentication/login etc. I guess it would be kind of similar to the old days with pppd and all that. Does anyone have any practical experience with running an ADSL router in bridge mode? /Per -- Per Jessen, Zürich (3.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Comcast [USA] has announced it will begin rolling out residential IPv6 in 2010l.
I expect we'll all be long gone by 20101! ;-)
pity - IPv6 was looking like a good protocol! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2009-10-19 at 07:53 -0400, James Knott wrote:
Per Jessen wrote:
IPv6 has yet to make much impact anywhere. IIRC, it is common in Asia, where there are simply not enough IPv4 addresses available. Also, as I mentioned in another note, I read, not too long ago, the U.S. government announced that IPv6 would be required going forward.
All DoD networks will be IPv6 by the end of 2009. Verizon is also rolling out IPv6 on its mobile network and all new devices (as of awhile ago) MUST support IPv6 (according to the doc, as I recall, IPv4 support is actually optional). Obviously IPv6 makes a lot of sense for mobile carriers.
It is coming, just not as fast as it should be.
I believe that in 2010 we will turn the corner and IPv6 will start to show up in more and more places. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Philip Dowie wrote:
Comcast [USA] has announced it will begin rolling out residential IPv6 in 2010l.
I expect we'll all be long gone by 20101! ;-)
pity - IPv6 was looking like a good protocol!
Well, at least they're thinking long term, instead of focusing on the next quarter. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
Hans Witvliet wrote:
On Sun, 2009-10-18 at 19:02 +0200, Per Jessen wrote:
Hardware - does anyone want to recommend an ADSL router with IPv6 support? We've been using Zyxel for the last five years, and I've been looking at Zyxels 662, but I've grown a little wary of Zyxel (support in particular). A new router would require solid IPv6 support plus SNMP and syslog ditto.
afaicr,was the latest Fritz-router 7270 (both annex-A and annex-B) capable of doing ipv6 (download firmware from fritz)
I've been researching this quite a bit today, and have yet to find a manufacturer which explicitly lists IPv6 support. During some more googling, I came across a suggestion of simply running the ADSL router in bridge mode, and leaving all the IP handling to the next system, i.e. a firewall/gateway box. This sounds quite enticing, although it would mean making the firewall/gateway also do the ADSL authentication/login etc. I guess it would be kind of similar to the old days with pppd and all that.
This looks as if it might actually be the right approach. When the ADSL box/modem is running as a bridge, it doesn't care whether it's IPv4, -5 or -6, so that's one component out of the loop. The next step is to run pppd+pppoe on the gateway/firewall - AFAICT, it's pretty straight forward, the one thing I can't quite tell is whether pppd will support ipv4 and ipv6 at the same time. I also don't know if my provider supports that, but at least I was able to verify that they do support IPv6. /Per -- Per Jessen, Zürich (6.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I've been researching this quite a bit today, and have yet to find a manufacturer which explicitly lists IPv6 support. During some more googling, I came across a suggestion of simply running the ADSL router in bridge mode, and leaving all the IP handling to the next system, i.e. a firewall/gateway box. This sounds quite enticing, although it would mean making the firewall/gateway also do the ADSL authentication/login etc. I guess it would be kind of similar to the old days with pppd and all that. This looks as if it might actually be the right approach. When the ADSL box/modem is running as a bridge, it doesn't care whether it's IPv4, -5 or -6, so that's one component out of the loop. The next step is to run pppd+pppoe on the gateway/firewall - AFAICT, it's pretty straight forward, the one thing I can't quite tell is whether pppd will support ipv4 and ipv6 at the same time.
Yes, PPP is multi-protocol; you are not even limited to IP [although routing IPX to your ISP might be pointless ;)] -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
I've been researching this quite a bit today, and have yet to find a manufacturer which explicitly lists IPv6 support. During some more googling, I came across a suggestion of simply running the ADSL router in bridge mode, and leaving all the IP handling to the next system, i.e. a firewall/gateway box. This sounds quite enticing, although it would mean making the firewall/gateway also do the ADSL authentication/login etc. I guess it would be kind of similar to the old days with pppd and all that. This looks as if it might actually be the right approach. When the ADSL box/modem is running as a bridge, it doesn't care whether it's IPv4, -5 or -6, so that's one component out of the loop. The next step is to run pppd+pppoe on the gateway/firewall - AFAICT, it's pretty straight forward, the one thing I can't quite tell is whether pppd will support ipv4 and ipv6 at the same time.
Yes, PPP is multi-protocol; you are not even limited to IP [although routing IPX to your ISP might be pointless ;)]
Thanks Adam - in the meantime I've also confirmed that my provider will happily feed me IPv4 and IPv6 down the same line. I might just play with it this weekend. /Per -- Per Jessen, Zürich (9.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
the one thing I can't quite tell is whether pppd will support ipv4 and ipv6 at the same time. I also don't know if my provider supports that, but at least I was able to verify that they do support IPv6.
PPP is a level 2 protocol and supports whatever you can do with an ethernet card. It is a IETF standard for providing packet based networking over a serial line. I have set up PPP links over T1 or SHDSL lines and the interface is simply an ethernet port, just like a switch etc., and will handle anything an ethernet switch or bridge can handle. The problem is that consumer level routers don't support IPv6, at least in routing & NAT functions. O'Reilly has a good book about PPP. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
The problem is that consumer level routers don't support IPv6, at least in routing & NAT functions.
This is exagerrated; some "consumer" routers like the Linksys WRT610 do support IPv6. Only you wouldn't know it as there is no related information in the admin UI [maybe because with IPv6 there is next to nothing to admin]. Especially if you are on Comcast [internally Comcast is using IPv6 today - right now] you may have IPv6 connectivity and just not realize it. Look at the "ip -6 addr" output of one of your LINUX boxes (with IPv6 enabled) and see if you have a network address other than fe80::*, if so then something on your network is providing IPv6 advertisement. Also many consumer routers can be 'upgraded' with third-party firmware (like OpenWRT) to have first-class IPv6 support. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Per Jessen wrote:
the one thing I can't quite tell is whether pppd will support ipv4 and ipv6 at the same time. I also don't know if my provider supports that, but at least I was able to verify that they do support IPv6.
PPP is a level 2 protocol and supports whatever you can do with an ethernet card. It is a IETF standard for providing packet based networking over a serial line.
Yeah, my concern was more if the ppp daemon would cope with IPv4 and IPv6 at the same time. I know can run multiple instances of pppd, but AFAICT, my provider does not allow concurrent PPP logins with the same name.
handle. The problem is that consumer level routers don't support IPv6, at least in routing & NAT functions.
Yeah, thats why I started looking at running the ADSL box in bridge mode. /Per -- Per Jessen, Zürich (10.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
The problem is that consumer level routers don't support IPv6, at least in routing & NAT functions.
NAT = evil; there is no NAT in IPv6. One of the advantages of a huge address space is that you can get rid of NAT. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
The problem is that consumer level routers don't support IPv6, at least in routing & NAT functions.
This is exagerrated; some "consumer" routers like the Linksys WRT610 do support IPv6. Only you wouldn't know it as there is no related information in the admin UI [maybe because with IPv6 there is next to nothing to admin].
I looked it up - I could be wrong, but it looks like it's just a WiFi router? The datasheet says it has an "internet port", and doesn't even mention IPv6 :-( The Zyxel 662 does apparently also support IPv6, but again it's not explicitly stated in the datasheet. /Per -- Per Jessen, Zürich (11.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
The problem is that consumer level routers don't support IPv6, at least in routing & NAT functions.
NAT = evil; there is no NAT in IPv6. One of the advantages of a huge address space is that you can get rid of NAT.
Quite so. With IPv6, users are assigned a *HUGE* number of IP addresses, which can be used as desired. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Knott wrote:
Adam Tauno Williams wrote:
The problem is that consumer level routers don't support IPv6, at least in routing & NAT functions.
NAT = evil; there is no NAT in IPv6. One of the advantages of a huge address space is that you can get rid of NAT.
Quite so. With IPv6, users are assigned a *HUGE* number of IP addresses, which can be used as desired.
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF... http://en.wikipedia.org/wiki/IPv6 Also suggests the implementation is not exactly consistent (or as simple as intended)... - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkrhc+oACgkQasN0sSnLmgLVigCfbyBDNqlI6/zlAGltMwBWg8HQ wDYAoIgMhjKjsddu4Ud9N0OfR0uLjzhU =WFNx -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF...
http://en.wikipedia.org/wiki/IPv6
Also suggests the implementation is not exactly consistent (or as simple as intended)...
NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for. /Per -- Per Jessen, Zürich (9.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2009-10-23 at 11:28 +0200, Per Jessen wrote:
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF... http://en.wikipedia.org/wiki/IPv6 Also suggests the implementation is not exactly consistent (or as simple as intended)... NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of
G T Smith wrote: private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for.
It is used for: (a) Networks that are not connected to the Internet. (b) Setting up an IPv6 on a network where there is no ISP [yet] to allocate you a 'real' IPv6 subnet. As they still have not addressed the fact that it is hard and expensive for an organization to just get an allocation of its own. Having to depend on an ISP for addressing is really annoying. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi! Am Freitag 23 Oktober 2009 11:28:38 schrieb Per Jessen:
G T Smith wrote:
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF...
http://en.wikipedia.org/wiki/IPv6
Also suggests the implementation is not exactly consistent (or as simple as intended)...
NAT seems completely superfluous when the networks are dished out as /64.
Well, the practicallity of NAT is that it allows you to bridge other networks to the internet, which themselves ain't part of it. This might be interesting if you want to hide your own network structure, especially if you may only use your uplink for one computer or if your own network is a playground and you don't want to interfere with the rest, but maybe need some limited connectivity to it. Still I personally think a firewall should do for that and personally I am looking forward to IPv6 because I will rid me of all the NAT hassle. Regards, Matthias -- Matthias Bach http://www.marix.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Per Jessen wrote:
G T Smith wrote:
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF...
http://en.wikipedia.org/wiki/IPv6
Also suggests the implementation is not exactly consistent (or as simple as intended)...
NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for.
/Per
For purely address space allocation it probably is superfluous, for simple network zoning maybe not. This private address allocation idea seems to be implemented with different syntaxes in different contexts. I also have no idea whether this is intended to deal with network address space sub allocation and issues like zoning or whether this is for another purpose. A brief look at this article suggests this is a little more involved than some would have us believe. It really depends how desirable it is have all your address space universally visible and not implementing some form of DMZ as a layer of protection, and also to what extent there is a requirement to restrict access to resources not just by user but by location. Apparently for consumer grade kit operated by 'non-informed' users implementation is patchy at best, (options like flashing the ROM with third party firmware is not something I would personally recommend to this user group, and may invalidate any warranty on the kit anyway). - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkrhiKgACgkQasN0sSnLmgKe3ACgqWFU1s6LoeloBu71vPYGATMG FwYAn1nJE9LZWXU7wrSJWFfLUCaYExj+ =tiRN -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Tauno Williams wrote:
On Fri, 2009-10-23 at 11:28 +0200, Per Jessen wrote:
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF... http://en.wikipedia.org/wiki/IPv6 Also suggests the implementation is not exactly consistent (or as simple as intended)... NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of
G T Smith wrote: private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for.
It is used for: (a) Networks that are not connected to the Internet. (b) Setting up an IPv6 on a network where there is no ISP [yet] to allocate you a 'real' IPv6 subnet. As they still have not addressed the fact that it is hard and expensive for an organization to just get an allocation of its own. Having to depend on an ISP for addressing is really annoying.
Hmmm... I do not think this is the issue, NAT supplies some capabilities that some people would like to see natively available within IPv6, the routing between IPv4 and IPv6 is already outlined elsewhere. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkrhixEACgkQasN0sSnLmgKw+QCgo9TiF7LRmNZt2rA7AuQjmT5l vOwAoLJ/yE6mByiCl9nkl11OPQgSjAW1 =0NsD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
Per Jessen wrote:
NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for.
/Per
For purely address space allocation it probably is superfluous, for simple network zoning maybe not.
Yes, that is true - I did think about that earlier, but decided it wasn't a real issue, more a matter of being comfortable. I.e. "am I comfortable that my workstation has a public IPv6 address?". I probably haven't thought it all through, but my immediate conclusion was that it's not a problem as the firewall will still be there to protect me. /Per -- Per Jessen, Zürich (9.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Also suggests the implementation is not exactly consistent (or as simple as intended)... NAT seems completely superfluous when the networks are dished out as /64. Well, the practicallity of NAT is that it allows you to bridge other networks to the internet, which themselves ain't part of it.
If you connect a network to the Internet it is part of it. NAT doesn't change that.
This might be interesting if you want to hide your own network structure,
Which NAT does not do. NAT is *not* a security measure; or at least not an effective one.
especially if you may only use your uplink for one computer
Which should only be an issue for the IPv4 world.
or if your own network is a playground and you don't want to interfere with the rest, but maybe need some limited connectivity to it.
That is the purpose of a firewall.
Still I personally think a firewall should do for that and personally I am looking forward to IPv6 because I will rid me of all the NAT hassle.
Yes! -- OpenGroupware developer: awilliam@whitemice.org http://whitemiceconsulting.blogspot.com/ OpenGroupare & Cyrus IMAPd documenation @ http://docs.opengroupware.org/Members/whitemice/wmogag/file_view -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
Well, the practicallity of NAT is that it allows you to bridge other networks to the internet, which themselves ain't part of it.
If you connect a network to the Internet it is part of it. NAT doesn't change that.
I think we're going OT, but a private IPv4 network on RFC1918 addresses behind a NAT gateway is in practice not very much part of the internet. Maybe it depends on your interpretation of "being part of"?
This might be interesting if you want to hide your own network structure,
Which NAT does not do. NAT is *not* a security measure; or at least not an effective one.
Uh, my private IPv4/RFC1918 network is quite well protected and hidden behind my NAT gateway. I agree NAT is not a security measure, but it does a pretty good job nonetheless. /Per -- Per Jessen, Zürich (9.5°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
James Knott wrote:
Adam Tauno Williams wrote:
The problem is that consumer level routers don't support IPv6, at least in routing & NAT functions.
NAT = evil; there is no NAT in IPv6. One of the advantages of a huge address space is that you can get rid of NAT.
Quite so. With IPv6, users are assigned a *HUGE* number of IP addresses, which can be used as desired.
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF...
I have heard about that too and don't understand why they'd need it. They certainly don't need the address space NAT provides and if they don't want a computer to be addressable from the net, then don't give it an address that's reachable from the net. A computer can be assigned the IPv6 equivalent of link local addresses or an address that's available only on the local network etc. I have heard about using addresses that don't contain the computer MAC address for security concerns, but that's a whole different issue. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
G T Smith wrote:
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF...
http://en.wikipedia.org/wiki/IPv6
Also suggests the implementation is not exactly consistent (or as simple as intended)...
NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for.
My understanding is those are addresses that can be used within an organization, either through a router or not, but not accessable by the world. This is exactly what NAT provides, beyond using local RFC1918 addresses. I suspect this may be a case of someone raising a question because they don't understand the situation. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
On Fri, 2009-10-23 at 11:28 +0200, Per Jessen wrote:
G T Smith wrote:
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF... http://en.wikipedia.org/wiki/IPv6 Also suggests the implementation is not exactly consistent (or as simple as intended)...
NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for.
It is used for: (a) Networks that are not connected to the Internet. (b) Setting up an IPv6 on a network where there is no ISP [yet] to allocate you a 'real' IPv6 subnet. As they still have not addressed the fact that it is hard and expensive for an organization to just get an allocation of its own. Having to depend on an ISP for addressing is really annoying.
IPv6 already provides that. At the lowest level, it provides an address range that's dependent only on the MAC address. There are also local address ranges that allow routing within an organization etc. NAT provides nothing in this regard and the address space it provides is also not needed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Matthias Bach wrote:
Hi!
Am Freitag 23 Oktober 2009 11:28:38 schrieb Per Jessen:
G T Smith wrote:
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF...
http://en.wikipedia.org/wiki/IPv6
Also suggests the implementation is not exactly consistent (or as simple as intended)...
NAT seems completely superfluous when the networks are dished out as /64.
Well, the practicallity of NAT is that it allows you to bridge other networks to the internet, which themselves ain't part of it. This might be interesting if you want to hide your own network structure, especially if you may only use your uplink for one computer or if your own network is a playground and you don't want to interfere with the rest, but maybe need some limited connectivity to it.
IPv6 already provides for that, with both routeable and non-routeable address ranges, that do not connect to the public internet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Per Jessen wrote:
NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for.
My understanding is those are addresses that can be used within an organization, either through a router or not, but not accessable by the world.
That's the weird thing - it doesn't say so. At least not in wikipedia. The 40-bit site-id is supposed to be random, so the unique local address isn't guaranteed to be unique, but does have a very high probability of being so. The thing is - todays RFC1918 IPv4 addresses are obviously not unique, but also not routable, but what's with these most-probably-unique IPv6 addresses that appear to be routable? /Per -- Per Jessen, Zürich (9.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for.
My understanding is those are addresses that can be used within an organization, either through a router or not, but not accessable by the world.
That's the weird thing - it doesn't say so. At least not in wikipedia. The 40-bit site-id is supposed to be random, so the unique local address isn't guaranteed to be unique, but does have a very high probability of being so. The thing is - todays RFC1918 IPv4 addresses are obviously not unique, but also not routable, but what's with these most-probably-unique IPv6 addresses that appear to be routable?
It's been a while since I read about it, but there are different tiers of addresses. The bottom address range is based strictly on the MAC address and is non-routeable. There are also other tiers that are limited to an organization or even to a part of the organization. These ranges are routeable, but not allowed on the internet, in the manner of RFC1918. Address ranges in IPv6 is a topic in and of itself. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for. My understanding is those are addresses that can be used within an organization, either through a router or not, but not accessable by the world. That's the weird thing - it doesn't say so. At least not in wikipedia.
Yea, that's a credible source. :)
The 40-bit site-id is supposed to be random, so the unique local address isn't guaranteed to be unique, but does have a very high probability of being so. The thing is - todays RFC1918 IPv4 addresses are obviously not unique, but also not routable, but what's with these most-probably-unique IPv6 addresses that appear to be routable? It's been a while since I read about it, but there are different tiers of addresses. The bottom address range is based strictly on the MAC address and is non-routeable. There are also other tiers that are limited to an organization or even to a part of the organization. These ranges are routeable, but not allowed on the internet, in the manner of RFC1918. Address ranges in IPv6 is a topic in and of itself.
2001::/16 - Allocated to RIRs 2002::/16 - Allocated to 6t4 fe80::/10 - Link local, those-MAC-derived addresses, at least for Ethernet. It uses a mechanism knows as SLAAC to come up with, at least on Ethernet, theoretically unique address. fec0::/10 - Site local, like 192.168.x.x, 10.x.x.x, etc... fc00::/8 - Unique Local, allocation still up in the air last I knew. But these are like a real network address but not routeable (?). fd00:/8 - Another kind of Unique Local, even more mysterious than fc00::/8. But you can get one from SixXS who seem to have appointed themselves as a registrar. This is what we use internally (one of these) for now. -- OpenGroupware developer: awilliam@whitemice.org http://whitemiceconsulting.blogspot.com/ OpenGroupare & Cyrus IMAPd documenation @ http://docs.opengroupware.org/Members/whitemice/wmogag/file_view -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for. My understanding is those are addresses that can be used within an organization, either through a router or not, but not accessable by the world. That's the weird thing - it doesn't say so. At least not in wikipedia.
Yea, that's a credible source. :)
Hardly reference material, but I figured the IPv6 material wouldn't exactly be hot controversial stuff :-)
fe80::/10 - Link local, those-MAC-derived addresses, at least for Ethernet. It uses a mechanism knows as SLAAC to come up with, at least on Ethernet, theoretically unique address.
Reuse of MAC ranges has been heard of.
fec0::/10 - Site local, like 192.168.x.x, 10.x.x.x, etc...
RFC3879 deprecated those, but doesn't seem to propose any alternative. /Per -- Per Jessen, Zürich (9.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2009-10-23 at 10:30 -0400, James Knott wrote:
Per Jessen wrote:
G T Smith wrote:
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF...
http://en.wikipedia.org/wiki/IPv6
Also suggests the implementation is not exactly consistent (or as simple as intended)...
NAT seems completely superfluous when the networks are dished out as /64. I did notice that there is a reserved range of private/local/site-unique addresses (prefix fd), but I'm not quite sure what that is intended for.
My understanding is those are addresses that can be used within an organization, either through a router or not, but not accessable by the world. This is exactly what NAT provides, beyond using local RFC1918 addresses. I suspect this may be a case of someone raising a question because they don't understand the situation.
Could it have something todo with hooking up ipv4-rfc1918 nodes on a IPv6 network? Some machines will never be able to speak V6, and i'm not shure how to an address-translation with ip(6)tables. (I mean, incase one does not have an public IPv4 address anymore) hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
fe80::/10 - Link local, those-MAC-derived addresses, at least for Ethernet. It uses a mechanism knows as SLAAC to come up with, at least on Ethernet, theoretically unique address.
Reuse of MAC ranges has been heard of.
That's only an issue if dupes appear on the same local network, otherwise, the address, as a whole, is still unique. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Per Jessen wrote:
fe80::/10 - Link local, those-MAC-derived addresses, at least for Ethernet. It uses a mechanism knows as SLAAC to come up with, at least on Ethernet, theoretically unique address.
Reuse of MAC ranges has been heard of.
That's only an issue if dupes appear on the same local network, otherwise, the address, as a whole, is still unique.
To clarify, that should be "the IP address, as a whole, is still unique". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Tauno Williams wrote:
The 40-bit site-id is supposed to be random, so the unique local address isn't guaranteed to be unique, but does have a very high probability of being so. The thing is - todays RFC1918 IPv4 addresses are obviously not unique, but also not routable, but what's with these most-probably-unique IPv6 addresses that appear to be routable? It's been a while since I read about it, but there are different tiers of addresses. The bottom address range is based strictly on the MAC address and is non-routeable. There are also other tiers that are limited to an organization or even to a part of the organization. These ranges are routeable, but not allowed on the internet, in the manner of RFC1918. Address ranges in IPv6 is a topic in and of itself.
2001::/16 - Allocated to RIRs 2002::/16 - Allocated to 6t4 fe80::/10 - Link local, those-MAC-derived addresses, at least for Ethernet. It uses a mechanism knows as SLAAC to come up with, at least on Ethernet, theoretically unique address. fec0::/10 - Site local, like 192.168.x.x, 10.x.x.x, etc... fc00::/8 - Unique Local, allocation still up in the air last I knew. But these are like a real network address but not routeable (?). fd00:/8 - Another kind of Unique Local, even more mysterious than fc00::/8. But you can get one from SixXS who seem to have appointed themselves as a registrar. This is what we use internally (one of these) for now.
This is really illustrates an issue which will probably put many of those with more complex infrastructures off from being early adopters of the technology. (BTW in this context it is easy to confuse size with complexity, big can be quite simple). This a bit of a catch-22 situation, until network specialists have idea of how this technology will behave in complex environments they will be wary about adopting it in such environments, however to get an idea of how it will behave someone has to implement it in an appropriate real scenario (and share the results). No one really wants to be the first person to shoot themselves in the foot (at least not publicly :-) ). A fair number of people who have reached the position to manage these things will have learnt the hard way there is often more pain than gain in being an early adopter of a new technology. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkri07IACgkQasN0sSnLmgK6NQCg6DTNOqd8yAcA8tBPSEJ+JidI fYMAoMkt8hO++icywKIFfPJWNNWMdLDQ =aUVF -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 2009-10-24 at 11:15 +0100, G T Smith wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Adam Tauno Williams wrote:
The 40-bit site-id is supposed to be random, so the unique local address isn't guaranteed to be unique, but does have a very high probability of being so. The thing is - todays RFC1918 IPv4 addresses are obviously not unique, but also not routable, but what's with these most-probably-unique IPv6 addresses that appear to be routable? It's been a while since I read about it, but there are different tiers of addresses. The bottom address range is based strictly on the MAC address and is non-routeable. There are also other tiers that are limited to an organization or even to a part of the organization. These ranges are routeable, but not allowed on the internet, in the manner of RFC1918. Address ranges in IPv6 is a topic in and of itself.
2001::/16 - Allocated to RIRs 2002::/16 - Allocated to 6t4 fe80::/10 - Link local, those-MAC-derived addresses, at least for Ethernet. It uses a mechanism knows as SLAAC to come up with, at least on Ethernet, theoretically unique address. fec0::/10 - Site local, like 192.168.x.x, 10.x.x.x, etc... fc00::/8 - Unique Local, allocation still up in the air last I knew. But these are like a real network address but not routeable (?). fd00:/8 - Another kind of Unique Local, even more mysterious than fc00::/8. But you can get one from SixXS who seem to have appointed themselves as a registrar. This is what we use internally (one of these) for now. This is really illustrates an issue which will probably put many of those with more complex infrastructures off from being early adopters of the technology. (BTW in this context it is easy to confuse size with complexity, big can be quite simple). This a bit of a catch-22 situation, until network specialists have idea of how this technology will behave in complex environments they will be wary about adopting it in such environments,
I just don't see it; and I have 18 sites, 22 T1s, fiber connections, and VPNs. **** IPv6 IS SIMPLER IN "COMPLEX" ENVIRONMENTS ****
however to get an idea of how it will behave someone has to implement it in an appropriate real scenario (and share the results).
There are many networks that have (Comcast, for example).
No one really wants to be the first person to shoot themselves in the foot (at least not publicly :-) ). A fair number of people who have reached the position to manage these things will have learnt the hard way there is often more pain than gain in being an early adopter of a new technology.
IPv6 is *NOT* a "new technology". Not even close. XP supported IPv6, Vista did [by default!], and now there is Windows 7. So even on M$ it is *THREE* OS revs old. It has been supported in LINUX since 2.4! It has been supported in Cisco IOS since late 11.x. How long does something have to be around before it isn't "new" anymore? Calling someone who implements IPv6 *now* as cutting or leading edge is ridiculous. And as several periodicals have pointed out - YOU ARE RUNNING IPv6! Unless you have explicitly disabled it on every new workstation, server, printer, etc... [or you have all very old crap] you very likely have IPv6 running on your network - it auto-configures. If your routers, firewalls, and policies do not deal with IPv6 you have a serious security problem. Just making IPv6 officially supported is in the end, I believe, just more prudent and simpler than fighting to disable it in every device and blocking it at every switch, router, and firewall. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
IPv6 is *NOT* a "new technology". Not even close.
Umm, the implementation is quite new though - otherwise we would surely not have had bugs such as this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503912 (getaddrinfo() doesn't deliver IPv4 mapped as IPv6 when asked for it). reported less than 12 months ago.
XP supported IPv6, Vista did [by default!], and now there is Windows 7. So even on M$ it is *THREE* OS revs old. It has been supported in LINUX since 2.4!
In the kernel yes, but what about the distros? How solid is openSUSE wrt IPv6 for instance?
It has been supported in Cisco IOS since late 11.x. How long does something have to be around before it isn't "new" anymore? Calling someone who implements IPv6 *now* as cutting or leading edge is ridiculous.
No it isn't. Get real, Adam. The support is not out there. Most providers are only just now beginning to dabble with it. Commodity hardware does not yet support it. When 99% of the community has yet to implement it, the first 1% doing so IS cutting edge.
And as several periodicals have pointed out - YOU ARE RUNNING IPv6! Unless you have explicitly disabled it on every new workstation, server, printer, etc... [or you have all very old crap] you very likely have IPv6 running on your network - it auto-configures. If your routers, firewalls, and policies do not deal with IPv6 you have a serious security problem.
Haha, you're surely joking. My router doesn't deal with IPv6, it doesn't know what it is. My firewall ditto and my "policies" too. My printer which is less than two years old has no clue about IPv6. My Netgear wireless AP, also about two years old, has no clue. Doesn't create any serious security problem for me - coz' despite IPv6 being present, nothing actually uses it! /Per -- Per Jessen, Zürich (9.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 2009-10-24 at 22:08 +0200, Per Jessen wrote:
Adam Tauno Williams wrote:
IPv6 is *NOT* a "new technology". Not even close.
Umm, the implementation is quite new though - otherwise we would surely not have had bugs such as this:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503912 (getaddrinfo() doesn't deliver IPv4 mapped as IPv6 when asked for it).
reported less than 12 months ago.
XP supported IPv6, Vista did [by default!], and now there is Windows 7. So even on M$ it is *THREE* OS revs old. It has been supported in LINUX since 2.4!
In the kernel yes, but what about the distros? How solid is openSUSE wrt IPv6 for instance?
It has been supported in Cisco IOS since late 11.x. How long does something have to be around before it isn't "new" anymore? Calling someone who implements IPv6 *now* as cutting or leading edge is ridiculous.
No it isn't. Get real, Adam. The support is not out there. Most providers are only just now beginning to dabble with it. Commodity hardware does not yet support it. When 99% of the community has yet to implement it, the first 1% doing so IS cutting edge.
And as several periodicals have pointed out - YOU ARE RUNNING IPv6! Unless you have explicitly disabled it on every new workstation, server, printer, etc... [or you have all very old crap] you very likely have IPv6 running on your network - it auto-configures. If your routers, firewalls, and policies do not deal with IPv6 you have a serious security problem.
Haha, you're surely joking. My router doesn't deal with IPv6, it doesn't know what it is. My firewall ditto and my "policies" too. My printer which is less than two years old has no clue about IPv6. My Netgear wireless AP, also about two years old, has no clue. Doesn't create any serious security problem for me - coz' despite IPv6 being present, nothing actually uses it!
That's funny, I friend of mine just bought a simple brother-printer, which support IPv6. Not the first piece of equipment on my shortlist of stuff i would want to support it, but they do, out of the box. And as said: bsd, linux, slowaris, ios, hp-ux, xp, vista, they all support it. better slowly grow into it, than have to do a crash action in a year or two time. I shouldn't make it a top priority item on your agenda, but make shure it is on your agenda. Just when doing a new project: some parts should have been delt with, like security, support, documentation, IPv6. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet pecked at the keyboard and wrote:
On Sat, 2009-10-24 at 22:08 +0200, Per Jessen wrote:
Adam Tauno Williams wrote:
<snip>
Just when doing a new project: some parts should have been delt with, like security, support, documentation, IPv6.
Can someone explain what security IPv6 offers over IPv4? As all they are are addresses, with IPv6 offering a far greater range, I fail to see the significance one would have over the other in that regard. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 2009-10-24 at 17:28 -0400, Ken Schneider - openSUSE wrote:
Hans Witvliet pecked at the keyboard and wrote:
Adam Tauno Williams wrote: <snip> Just when doing a new project: some parts should have been delt with,
On Sat, 2009-10-24 at 22:08 +0200, Per Jessen wrote: like security, support, documentation, IPv6. Can someone explain what security IPv6 offers over IPv4?
None. The approach for security issues with IPv6 and IPv4 is the same.
As all they are are addresses, with IPv6 offering a far greater range, I fail to see the significance one would have over the other in that regard.
There is no significance. You need firewalls and policies just like with IPv4. But if you block port XYZ for IPv4 you need to make sure that port XYZ is blocked for IPv6 - the 'firewall' stacks are independent on most platforms. Tools like fwbuilder work with IPv6 as well as IPv4, so if you are using old versions of those tools you just need to upgrade your tool set. http://www.fwbuilder.org/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
XP supported IPv6, Vista did [by default!], and now there is Windows 7. So even on M$ it is *THREE* OS revs old. It has been supported in LINUX since 2.4! In the kernel yes, but what about the distros? How solid is openSUSE wrt IPv6 for instance?
I use it 8 hours a day, five days a week. Works fine.
It has been supported in Cisco IOS since late 11.x. How long does something have to be around before it isn't "new" anymore? Calling someone who implements IPv6 *now* as cutting or leading edge is ridiculous. No it isn't. Get real, Adam. The support is not out there. Most providers are only just now beginning to dabble with it.
What does provider support have to do with deploying IPv6 on your network? There is zero reason to wait for your provider - in fact, that is a bad idea. When your provider shows up with IPv6 support you won't be ready to exploit it.
Commodity hardware does not yet support it.
I'm not sure what "commodity hardware" is. If you mean what you can buy at Best Buy... that junk doesn't belong on a real network. It doesn't support lots of things that it should.
When 99% of the community has yet to implement it, the first 1% doing so IS cutting edge.
What community are you talking about? We run an almost 100% Open Source stack and everything - Postfix, Cyrus IMAPd, PostgreSQL, Apache, OpenLDAP, Bind, CUPS, SSH, Mono, Python, ... - supports IPv6 (and have for awhile). I'd be higly suspect of a project's viability if at this point it didn't support IPv6. -- openSUSE http://www.opensuse.org/en/ Linux for human beings who need to get things done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Haha, you're surely joking. My router doesn't deal with IPv6, it doesn't know what it is. My firewall ditto and my "policies" too. My printer which is less than two years old has no clue about IPv6. My Netgear wireless AP, also about two years old, has no clue. Doesn't create any serious security problem for me - coz' despite IPv6 being present, nothing actually uses it! That's funny, I friend of mine just bought a simple brother-printer, which support IPv6. Not the first piece of equipment on my shortlist of stuff i would want to support it, but they do, out of the box.
Yep, Brother has been ahead of the curve for awhile. I was surprised when we did the review that our Brother document centers supported IPv6. The HP LaserJet's 4200 don't.
And as said: bsd, linux, slowaris, ios, hp-ux, xp, vista, they all support it. better slowly grow into it, than have to do a crash action in a year or two time. I shouldn't make it a top priority item on your agenda, but make shure it is on your agenda. Just when doing a new project: some parts should have been delt with, like security, support, documentation, IPv6. -- OpenGroupware developer: awilliam@whitemice.org http://whitemiceconsulting.blogspot.com/ OpenGroupare & Cyrus IMAPd documenation @ http://docs.opengroupware.org/Members/whitemice/wmogag/file_view
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
XP supported IPv6, Vista did [by default!], and now there is Windows 7. So even on M$ it is *THREE* OS revs old. It has been supported in LINUX since 2.4! In the kernel yes, but what about the distros? How solid is openSUSE wrt IPv6 for instance?
I use it 8 hours a day, five days a week. Works fine.
Sounds good.
When 99% of the community has yet to implement it, the first 1% doing so IS cutting edge.
What community are you talking about?
The community of IT users.
We run an almost 100% Open Source stack and everything - Postfix, Cyrus IMAPd, PostgreSQL, Apache, OpenLDAP, Bind, CUPS, SSH, Mono, Python, ... - supports IPv6 (and have for awhile).
Well, you might just be the 0.01% out on the bleeding edge then. /Per -- Per Jessen, Zürich (12.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
I friend of mine just bought a simple brother-printer, which support IPv6. Not the first piece of equipment on my shortlist of stuff i would want to support it, but they do, out of the box.
And as said: bsd, linux, slowaris, ios, hp-ux, xp, vista, they all support it.
Operating systems. I took a quick look around to spot what I've got that is IPv4-only: Cisco SPA9XX phones. Kyocera printers. MySQL Asterisk APC SmartUPS Leased servers in external datacentre Netgear Wireless AP (one). visiting peoples laptops.
better slowly grow into it, than have to do a crash action in a year or two time. I shouldn't make it a top priority item on your agenda, but make shure it is on your agenda.
If it's not on the top of the list, it most probably will slide further down and end up not getting done :-( I totally agree that any sane person (who is involved with computing) should be at least thinking of IPv6. However, to suggest that it isn't still bleeding edge (as Adam does) is just silly. /Per -- Per Jessen, Zürich (12.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Tauno Williams wrote:
I use it 8 hours a day, five days a week. Works fine.
It has been supported in Cisco IOS since late 11.x. How long does something have to be around before it isn't "new" anymore? Calling someone who implements IPv6 *now* as cutting or leading edge is ridiculous. No it isn't. Get real, Adam. The support is not out there. Most providers are only just now beginning to dabble with it.
What does provider support have to do with deploying IPv6 on your network? There is zero reason to wait for your provider - in fact, that is a bad idea. When your provider shows up with IPv6 support you won't be ready to exploit it.
I think someone is living in cloud cuckoo land here. You may be lucky in that someone is prepared to resource your requirements, and maybe that infrastructure was built from scratch. Older infrastructures may have all sorts of weird and wonderful kludges which support different things which may or may not be critical to business function, and which may or may not be properly and accurately documented. Many of those who run these have to struggle to get the resources to support the network infrastructure that they have already got, let alone create the network infrastructure they would like to have, and in the current economic environment this is not likely to get any better. IT departments are often very low in the organisational pecking order or frequently very unpopular in the organisation if they are not, so unfortunately tend to get the crumbs from the table and the blame when everything goes pear shaped as a consequence of under-resourcing. The comments are very idealistic, and not really based practicalities of the bigger picture. It would be nice to have a magic wand to make everything better, but these are in short supply. I think anyone designing a new (or a fundamental update of a) commercial network infrastructure around IPv4 is probably not entirely sane, but the growth of IPv6 is mainly going to be determined by the rate of update of physical infrastructure. This process is not going be fast. On the other hand there are few (if any) benefits for IPv6 deployment on home networks, and it is surprising how much home kit is state of the Ark. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkrkPhYACgkQasN0sSnLmgL+tgCg2BTh/2dHM794kg9vgZaniHhD bTUAoLsrGaPWqBRrHr3XE0nU6zVF8fgx =LP5H -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen pecked at the keyboard and wrote:
Hans Witvliet wrote:
I friend of mine just bought a simple brother-printer, which support IPv6. Not the first piece of equipment on my shortlist of stuff i would want to support it, but they do, out of the box.
And as said: bsd, linux, slowaris, ios, hp-ux, xp, vista, they all support it.
Operating systems. I took a quick look around to spot what I've got that is IPv4-only:
Cisco SPA9XX phones. Kyocera printers. MySQL Asterisk APC SmartUPS Leased servers in external datacentre Netgear Wireless AP (one). visiting peoples laptops.
better slowly grow into it, than have to do a crash action in a year or two time. I shouldn't make it a top priority item on your agenda, but make shure it is on your agenda.
If it's not on the top of the list, it most probably will slide further down and end up not getting done :-(
I totally agree that any sane person (who is involved with computing) should be at least thinking of IPv6. However, to suggest that it isn't still bleeding edge (as Adam does) is just silly.
/Per
This is an article from 1997: http://www.linuxhq.com/IPv6/radvd.html Is IPv6 bleeding edge, no, little used, yes. It's been around over 10 years! How long does something need to be available to stop being "bleeding edge"? -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ken Schneider - openSUSE wrote:
This is an article from 1997: http://www.linuxhq.com/IPv6/radvd.html
Is IPv6 bleeding edge, no, little used, yes. It's been around over 10 years! How long does something need to be available to stop being "bleeding edge"?
I think perhaps you are mistaking "been available for over ten years" and "been working well and mostly bugfree for ten years". Like I said last night, when bugs such as this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503912 (getaddrinfo() doesn't deliver IPv4 mapped as IPv6 when asked for it). were reported less than 12 months ago, IPv6 hasn't even been working well and mostly bugfree for 12 months. /Per -- Per Jessen, Zürich (12.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 2009-10-24 at 19:31 -0400, Adam Tauno Williams wrote:
On Sat, 2009-10-24 at 17:28 -0400, Ken Schneider - openSUSE wrote:
Hans Witvliet pecked at the keyboard and wrote:
Adam Tauno Williams wrote: <snip> Just when doing a new project: some parts should have been delt with,
On Sat, 2009-10-24 at 22:08 +0200, Per Jessen wrote: like security, support, documentation, IPv6. Can someone explain what security IPv6 offers over IPv4?
None. The approach for security issues with IPv6 and IPv4 is the same.
As all they are are addresses, with IPv6 offering a far greater range, I fail to see the significance one would have over the other in that regard.
There is no significance. You need firewalls and policies just like with IPv4. But if you block port XYZ for IPv4 you need to make sure that port XYZ is blocked for IPv6 - the 'firewall' stacks are independent on most platforms.
Tools like fwbuilder work with IPv6 as well as IPv4, so if you are using old versions of those tools you just need to upgrade your tool set. http://www.fwbuilder.org/
There are some security-aspects. The good one, is that one doesn't need something like openvpn or ipsec on top of IP(v4) as it is allready included in IPv6. The bad on: you have to be aware that *current* firewall rules aply only to IPv4 (and probably also host allow/deny). It means that in the early days of migration (specially if people are not aware of providers suddenly present a dual stack to their customers) will find their network highly exposed.... (imho that's the main reason for getting your feet wet early) Oh, btw, it also solves the problem of having multiple apache ssl-vhosts. As you get some millions of private routable addresses you can give each apache-server its own address, instead of just a name. So that's another good one. hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
It means that in the early days of migration (specially if people are not aware of providers suddenly present a dual stack to their customers) will find their network highly exposed.... (imho that's the main reason for getting your feet wet early)
Is that a _real_ issue to worry about, Hans? If a customer is IPv4-only, and his provider decides to offer IPv6 too without telling the customer, I don't see that changing anything for the customer. His network equipment isn't just going to switch into dual-stack just like that. For instance, my provider set up IPv6 on my ADSL line Thursday night, and didn't tell me until Friday morning. I can assure you it did not affect my site security at all.
Oh, btw, it also solves the problem of having multiple apache ssl-vhosts.
I was just reading an article about that in the most recent c't (#23 - "SSL fuer virtuelle Server"). It mentions something called "TLS Server Name Indication" - seems like Apache has had support since 2.2.12. /Per -- Per Jessen, Zürich (12.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2009-10-25 at 08:48 -0400, Ken Schneider - openSUSE wrote:
Per Jessen pecked at the keyboard and wrote:
I friend of mine just bought a simple brother-printer, which support IPv6. Not the first piece of equipment on my shortlist of stuff i would want to support it, but they do, out of the box. And as said: bsd, linux, slowaris, ios, hp-ux, xp, vista, they all support it. Operating systems. I took a quick look around to spot what I've got
Hans Witvliet wrote: that is IPv4-only: Kyocera printers.
We have the same issue with ~30 HP 4200n printers. Clients talk to the CUPs printer server via IPv6. CUPs talks to the printer using IPv6 if there is an IPv6 DNS entry, otherwise it uses the IPv4 entry. This is entirely transparent - and we just require IPv6 on all new printers.
Cisco SPA9XX phones MySQL Asterisk
So you have a couple of legacy services that won't do IPv6, let them continue to use IPv4. If you publish an IPv6 DNS record clients will use that [at least for Windows Vista and LINUX]. If there is no IPv6 DNS entry they fall back to IPv4. I just don't see why a couple of legacy services should hold-up beginning the roll-out of IPv6. <aside>Of course, at least in the case of MySQL, I always recommend upgrading to something else anyway. If it takes them as long to support IPv6 as it did to support transactions, constraints, etc....</aside>
APC SmartUPS
Hardly a deal breaker. Our UPSs, server IPMI cards, and DS1/DS3 multiplexors don't support IPv6. These types of devices tend to have even crappy IPv4 support. So long as the NMS can reach them it doesn't matter - no one is suggesting turning off IPv4. And this type of gear is usually on its own vLAN anyway - the thought of someone plugging a laptop into your network, getting a DHCP lease, and then probing for your UPSs (which is easy) is disturbing. I trust APCs stack about as far as I can toss the batteries.
Leased servers in external datacentre
Really? They don't even show an fe80::*
Netgear Wireless AP (one).
You AP doesn't need to support IPv6 to bear IPv6 traffic.
visiting peoples laptops.
better slowly grow into it, than have to do a crash action in a year or two time. I shouldn't make it a top priority item on your agenda, but make shure it is on your agenda. If it's not on the top of the list, it most probably will slide further down and end up not getting done :-( I totally agree that any sane person (who is involved with computing) should be at least thinking of IPv6. However, to suggest that it isn't still bleeding edge (as Adam does) is just silly. This is an article from 1997: http://www.linuxhq.com/IPv6/radvd.html Is IPv6 bleeding edge, no, little used, yes. It's been around over 10 years! How long does something need to be available to stop being "bleeding edge"?
Little used? You can access Google via IPv6 Comcast's entite internal network USA's Department of Defense Microsoft I don't accept the "little used" position. Proportionately very small via IPv4, yes. But positing "little used" requires a very myopic look at the landscape - restricted only to Internet traffic. There are many very large IPv6 deployments. -- openSUSE http://www.opensuse.org/en/ Linux for human beings who need to get things done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
It means that in the early days of migration (specially if people are not aware of providers suddenly present a dual stack to their customers) will find their network highly exposed.... (imho that's the main reason for getting your feet wet early) Is that a _real_ issue to worry about, Hans? If a customer is IPv4-only, and his provider decides to offer IPv6 too without telling the customer, I don't see that changing anything for the customer. His network equipment isn't just going to switch into dual-stack just like that. For instance, my provider set up IPv6 on my ADSL line Thursday night, and didn't tell me until Friday morning. I can assure you it did not affect my site security at all.
Your provider has nothing to do with it. (a) I enter your building and plug into your network. (b) I instantly have an IPv6 link-local address. (c) I can communicate with all IPv6 enabled devices - Every Windows Vista / 7 box - Every LINUX box - Most UNIX boxes - Possibly your switches and other devices. * Unless you have manually disabled IPv6 on all the above. (d) Your IPv4 firewalls on those devices don't do anything to stop me. This has been demonstrated, and malware can use IPv6 internally too. Your connection to your &@^&*! provider is not the only attack surface on your network. It probably isn't even your most significant. It is pretty well documented that (a) is frighteningly easy to do most places. -- OpenGroupware developer: awilliam@whitemice.org http://whitemiceconsulting.blogspot.com/ OpenGroupare & Cyrus IMAPd documenation @ http://docs.opengroupware.org/Members/whitemice/wmogag/file_view -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
On Sun, 2009-10-25 at 08:48 -0400, Ken Schneider - openSUSE wrote:
Per Jessen pecked at the keyboard and wrote:
Hans Witvliet wrote:
I friend of mine just bought a simple brother-printer, which support IPv6. Not the first piece of equipment on my shortlist of stuff i would want to support it, but they do, out of the box. And as said: bsd, linux, slowaris, ios, hp-ux, xp, vista, they all support it. Operating systems. I took a quick look around to spot what I've got that is IPv4-only: Kyocera printers.
We have the same issue with ~30 HP 4200n printers. Clients talk to the CUPs printer server via IPv6. CUPs talks to the printer using IPv6 if there is an IPv6 DNS entry, otherwise it uses the IPv4 entry.
So your print-server has both IPv4 and IPv6, right?
Cisco SPA9XX phones MySQL Asterisk
So you have a couple of legacy services that won't do IPv6, let them continue to use IPv4.
I wouldn't exactly call them legacy, they're mission critical, but yes, there's no other option but to leave them on IPv4.
If you publish an IPv6 DNS record clients will use that [at least for Windows Vista and LINUX]. If there is no IPv6 DNS entry they fall back to IPv4. I just don't see why a couple of legacy services should hold-up beginning the roll-out of IPv6.
No, they shouldn't and they won't in our case. It was only to point out that anything but a home user environment will very likely be dual-stack, maybe for years to come, despite various operating system having full IPv6 support.
APC SmartUPS
Hardly a deal breaker.
Nope.
And this type of gear is usually on its own vLAN anyway - the thought of someone plugging a laptop into your network, getting a DHCP lease, and then probing for your UPSs (which is easy) is disturbing. I trust APCs stack about as far as I can toss the batteries.
haha, good one. I'm not worried about anyone hacking into a UPS, their access and any visiting guests network use is very restricted.
Leased servers in external datacentre
Really? They don't even show an fe80::*
Of course, but that doesn't make them very useable for external IPv6 clients. Which is our main reason for doing IPv6. /Per -- Per Jessen, Zürich (12.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
It means that in the early days of migration (specially if people are not aware of providers suddenly present a dual stack to their customers) will find their network highly exposed.... (imho that's the main reason for getting your feet wet early) Is that a _real_ issue to worry about, Hans? If a customer is IPv4-only, and his provider decides to offer IPv6 too without telling the customer, I don't see that changing anything for the customer. His network equipment isn't just going to switch into dual-stack just like that. For instance, my provider set up IPv6 on my ADSL line Thursday night, and didn't tell me until Friday morning. I can assure you it did not affect my site security at all.
Your provider has nothing to do with it.
Well, yes, that is Hans and I were talking about. As for your scenario of a malicious user gaining access to my internal network, well, that is not a genuine concern to me. /Per -- Per Jessen, Zürich (12.7°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ken Schneider - openSUSE wrote:
Hans Witvliet pecked at the keyboard and wrote:
On Sat, 2009-10-24 at 22:08 +0200, Per Jessen wrote:
Adam Tauno Williams wrote:
<snip>
Just when doing a new project: some parts should have been delt with, like security, support, documentation, IPv6.
Can someone explain what security IPv6 offers over IPv4? As all they are are addresses, with IPv6 offering a far greater range, I fail to see the significance one would have over the other in that regard.
IPSec encryption is directly supported in IPv6. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
On the other hand there are few (if any) benefits for IPv6 deployment on home networks, and it is surprising how much home kit is state of the Ark.
Many people like to access devices remotely. With IPv6, it's a simple matter to make all of them accessible from elsewhere. With IPv4, if you're assigned one address from your ISP, you have to start forwarding non-standard port numbers to reach the various devices. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ken Schneider - openSUSE wrote:
This is an article from 1997: http://www.linuxhq.com/IPv6/radvd.html
Is IPv6 bleeding edge, no, little used, yes. It's been around over 10 years! How long does something need to be available to stop being "bleeding edge"?
I first read about IPv6 in Byte magazine, back in 1995. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2009-10-25 at 14:23 +0100, Per Jessen wrote:
Hans Witvliet wrote:
It means that in the early days of migration (specially if people are not aware of providers suddenly present a dual stack to their customers) will find their network highly exposed.... (imho that's the main reason for getting your feet wet early)
Is that a _real_ issue to worry about, Hans? If a customer is IPv4-only, and his provider decides to offer IPv6 too without telling the customer, I don't see that changing anything for the customer. His network equipment isn't just going to switch into dual-stack just like that. For instance, my provider set up IPv6 on my ADSL line Thursday night, and didn't tell me until Friday morning. I can assure you it did not affect my site security at all.
I think so. Systems can have their dhcp-set-up in different ways: IPV4-ONLY, IPV6-ONLY and both IPv4 AND IPv6. As long as your provider only hands out v4 addresses, all works well, and the client just keeps on polling for ever. But as soon as your ISP "sees the light" and gives you both an v4 AND and v6 address, and your v6 rule-set is "accept anyone from anywhere" you might (!) end up in shit-creek. <<<<<< find your system compromised. Unless you have your ip6tables rule set changed to default drop-anything, which implies that one has started to think/do something with IPv6, which was the main issue i made.
Oh, btw, it also solves the problem of having multiple apache ssl-vhosts.
I was just reading an article about that in the most recent c't (#23 - "SSL fuer virtuelle Server"). It mentions something called "TLS Server Name Indication" - seems like Apache has had support since 2.2.12.
yes, there are some workarounds, with address-mod-rewrite, but then you use one certificate, for all webservers. And with IPv6 you simple can give all webservers their own legitimate certificate. hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
On Sun, 2009-10-25 at 14:23 +0100, Per Jessen wrote:
Is that a _real_ issue to worry about, Hans? If a customer is IPv4-only, and his provider decides to offer IPv6 too without telling the customer, I don't see that changing anything for the customer. [snip] I think so. Systems can have their dhcp-set-up in different ways: IPV4-ONLY, IPV6-ONLY and both IPv4 AND IPv6. As long as your provider only hands out v4 addresses, all works well, and the client just keeps on polling for ever. But as soon as your ISP "sees the light" and gives you both an v4 AND and v6 address, and your v6 rule-set is "accept anyone from anywhere" you might (!) end up in shit-creek. <<<<<< find your system compromised. Unless you have your ip6tables rule set changed to default drop-anything, which implies that one has started to think/do something with IPv6, which was the main issue i made.
I was considering that most consumer/commodity ADSL boxes do not yet support IPV6, so the provider can advertise IPV6 as much as he wants, it won't cause a problem. That was what happened on my system. Anyway, what are the default SuSEfirewall settings for IPv6? /Per -- Per Jessen, Zürich (12.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Oh, btw, it also solves the problem of having multiple apache ssl-vhosts. I was just reading an article about that in the most recent c't (#23 - "SSL fuer virtuelle Server"). It mentions something called "TLS Server Name Indication" - seems like Apache has had support since 2.2.12.
Yep, this is a really nice under-reported feature. http://www.linux-mag.com/cache/7480/1.html -- OpenGroupware developer: awilliam@whitemice.org http://whitemiceconsulting.blogspot.com/ OpenGroupare & Cyrus IMAPd documenation @ http://docs.opengroupware.org/Members/whitemice/wmogag/file_view -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-10-24 at 14:30 -0400, Adam Tauno Williams wrote:
IPv6 is *NOT* a "new technology". Not even close. XP supported IPv6, Vista did [by default!], and now there is Windows 7. So even on M$ it is *THREE* OS revs old. It has been supported in LINUX since 2.4! It has been supported in Cisco IOS since late 11.x. How long does something have to be around before it isn't "new" anymore? Calling someone who implements IPv6 *now* as cutting or leading edge is ridiculous.
Support is not complete. See this warning in the susefirewall config file - - it's just an example, there are more: # Note2: the iptables recent module may not be available for ipv6. To # avoid an error message use 0.0.0.0/0 instead of 0/0. This will # install the rule for ipv4 only. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkrkgKsACgkQtTMYHG2NR9W7QgCdH0c6XY01us+Qm9+ZZUNWr6vB C2sAniFwlVShLZUSfWSkuFZzJT7r//49 =GIQ+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2009-10-25 at 17:41 +0100, Per Jessen wrote:
Hans Witvliet wrote:
On Sun, 2009-10-25 at 14:23 +0100, Per Jessen wrote:
Is that a _real_ issue to worry about, Hans? If a customer is IPv4-only, and his provider decides to offer IPv6 too without telling the customer, I don't see that changing anything for the customer. [snip] I think so. Systems can have their dhcp-set-up in different ways: IPV4-ONLY, IPV6-ONLY and both IPv4 AND IPv6. As long as your provider only hands out v4 addresses, all works well, and the client just keeps on polling for ever. But as soon as your ISP "sees the light" and gives you both an v4 AND and v6 address, and your v6 rule-set is "accept anyone from anywhere" you might (!) end up in shit-creek. <<<<<< find your system compromised. Unless you have your ip6tables rule set changed to default drop-anything, which implies that one has started to think/do something with IPv6, which was the main issue i made. I was considering that most consumer/commodity ADSL boxes do not yet support IPV6, so the provider can advertise IPV6 as much as he wants, it won't cause a problem. That was what happened on my system.
Ok, but most organizations of any size are probably not connected to the Internet via a commodity ADSL router. Every single organization I visit has either a Cisco or 3com device. But leaking through a traditional firewall sandwich would be hard; from a security perspective I'm far more concerned about avoiding a crunchy-on-the-outside-chewy-on-the-inside situation [which is what an over-reliance on perimeter defenses results in]. If you don't deal with IPv6 you can easily end up running a parallel essentially stealth network inside your organization.
Anyway, what are the default SuSEfirewall settings for IPv6?
Glancing at my laptop it looks like it drops everything but ICMP; but I haven't looked at a truly fresh install to see if that is the same. -- openSUSE http://www.opensuse.org/en/ Linux for human beings who need to get things done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
On Sun, 2009-10-25 at 17:41 +0100, Per Jessen wrote:
Hans Witvliet wrote:
Is that a _real_ issue to worry about, Hans? If a customer is IPv4-only, and his provider decides to offer IPv6 too without telling the customer, I don't see that changing anything for the customer. [snip] I think so. Systems can have their dhcp-set-up in different ways: IPV4-ONLY, IPV6-ONLY and both IPv4 AND IPv6. As long as your provider only hands out v4 addresses, all works well, and the client just keeps on polling for ever. But as soon as your ISP "sees the light" and gives you both an v4 AND and v6 address, and your v6 rule-set is "accept anyone from anywhere" you might (!) end up in shit-creek. <<<<<< find your system compromised. Unless you have your ip6tables rule set changed to default drop-anything, which implies that one has started to
On Sun, 2009-10-25 at 14:23 +0100, Per Jessen wrote: think/do something with IPv6, which was the main issue i made. I was considering that most consumer/commodity ADSL boxes do not yet support IPV6, so the provider can advertise IPV6 as much as he wants, it won't cause a problem. That was what happened on my system.
Ok, but most organizations of any size are probably not connected to the Internet via a commodity ADSL router.
Most businesses are small - 98% of businesses have less than 20 employees, and most probably little or no IT staff. I am pretty certain the vast majority of those will have Zyxel and D-Link ADSL boxes. /Per -- Per Jessen, Zürich (12.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I use it 8 hours a day, five days a week. Works fine.
It has been supported in Cisco IOS since late 11.x. How long does something have to be around before it isn't "new" anymore? Calling someone who implements IPv6 *now* as cutting or leading edge is ridiculous. No it isn't. Get real, Adam. The support is not out there. Most providers are only just now beginning to dabble with it. What does provider support have to do with deploying IPv6 on your network? There is zero reason to wait for your provider - in fact, that is a bad idea. When your provider shows up with IPv6 support you won't be ready to exploit it. I think someone is living in cloud cuckoo land here.
I think you are confusing the issues of organizational [or disorganizational] behavior with arguments concerning the viability and benefits of a technology. Because your organization cannot or does not have a strategic approach to technology has nothing to do with IPv6.
You may be lucky in that someone is prepared to resource your requirements,
As I already explain: we added IPv6 readiness to our refresh cycle and over the course of 2 years deployed IPv6. Doing so didn't require 'resourcing' much of anything.
and maybe that infrastructure was built from scratch.
Hardly.
Older infrastructures may have all sorts of weird and wonderful kludges which support different things which may or may not be critical to business function, and which may or may not be properly and accurately documented.
WHICH HAS NOTHING TO DO WITH IPv6. Your argument against IPv6 is that your network is so full of kludges and hacks that it would be next to impossible. Hmmmm...
Many of those who run these have to struggle to get the resources to support the network infrastructure that they have already got,
Which has nothing to do with IPv6 or if beginning deployment is a good idea. Because your organization is resource starved doesn't count against it as a wise policy.
let alone create the network infrastructure they would like to have, and in the current economic environment this is not likely to get any better. IT departments are often very low in the organisational pecking order or frequently very unpopular in the organisation if they
"Very often", I don't know. Sometimes they are. Sometimes they aren't. That has nothing to do with sound policy about IPv6 deployment.
The comments are very idealistic,
That IPv6 is coming is not idealistic. That is is better to gradually phase in support rather than rushing when you need to is not idealistic. That IPv6 provides some real improvements over IPv4 is not idealistic. That lacking an IPv6 implementation creates potential security issues is not idealistic.
and not really based practicalities of the bigger picture.
Ah, "the bigger picture" - now I understand. Of course, how could I be so naive.
It would be nice to have a magic wand to make everything better, but these are in short supply.
Right - a gradual deployment over two years is a wave of a magic wand.
I think anyone designing a new (or a fundamental update of a) commercial network infrastructure around IPv4 is probably not entirely sane, but the growth of IPv6 is mainly going to be determined by the rate of update of physical infrastructure. This process is not going be fast.
With your approach and deep understanding of "the bigger picture" it will be worse than not fast. At least where you are. Weather is great over here.
On the other hand there are few (if any) benefits for IPv6 deployment on home networks, and it is surprising how much home kit is state of the Ark.
Home networks don't have any policy or deployment of anything at all. That is clearly NOT what we are discussing. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-10-25 at 12:55 -0400, Adam Tauno Williams wrote:
I was considering that most consumer/commodity ADSL boxes do not yet support IPV6, so the provider can advertise IPV6 as much as he wants, it won't cause a problem. That was what happened on my system.
Ok, but most organizations of any size are probably not connected to the Internet via a commodity ADSL router. Every single organization I visit has either a Cisco or 3com device.
And those I visit have a plain ADSL router, supplied by the ISP. Some have a better router (Cisco, some of those), switch, proxy, etc, behind the adsl router. Some may have more than one ADSL connections. It depend on the country, the organizations you work with or meet, etc... - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkrk7ygACgkQtTMYHG2NR9VoaQCfQ4XNcsUOR7sLLfoI3M9oc813 0SEAoI0gDvZhhHN27sO2KPi8QDwtqyJs =0+T6 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
That is the purpose of a firewall.
Speaking of which...how do exsiting ipv4 firewalls interact with IPV6? Many of the ipv6 solutions I see use ipv4 some for of encapsulation to get across "ipv6-dead zones". So isn't that an open path into your network if your firewall is ipv4 only? Or are all firewalls easily upgraded to ipv6?... I'm a bit unclear on this -- seems like opening ipv6 inside my ipv4 network is a potentially large and "unmonitorable" security hole, since I can't even see the address as the firewall. Even WinSP3 when it comes up appears to try to connect to MS ipv6 registration services through my existing ipv4 http proxy!... I shut that down, not knowing exactly what it was doing, but not feeling comfortable, just the same. This would appear to require buying all new (read, '*expensive*, if it includes IPV6, because it is not 'required' nor the 'norm' -- mostly likely) firewall hardware. Has anyone had any experience in this area? -linda -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Linda Walsh wrote:
Adam Tauno Williams wrote:
That is the purpose of a firewall.
Speaking of which...how do exsiting ipv4 firewalls interact with IPV6?
Most probably they don't. For instance, iptables deals only with IPv4, ip6tables with IPv6.
Many of the ipv6 solutions I see use ipv4 some for of encapsulation to get across "ipv6-dead zones".
So isn't that an open path into your network if your firewall is ipv4 only? Or are all firewalls easily upgraded to ipv6?...
If you're connected to IPv6 and your firewall doesn't set up any rules for IPv6, then yes, you're wide open. /Per -- Per Jessen, Zürich (12.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
That is the purpose of a firewall. Speaking of which...how do exsiting ipv4 firewalls interact with IPV6? Most probably they don't. For instance, iptables deals only with IPv4, ip6tables with IPv6.
Yep.
Many of the ipv6 solutions I see use ipv4 some for of encapsulation to get across "ipv6-dead zones".
This is true, and can be 'interesting'.
So isn't that an open path into your network if your firewall is ipv4 only? Or are all firewalls easily upgraded to ipv6?... If you're connected to IPv6 and your firewall doesn't set up any rules for IPv6, then yes, you're wide open.
That is the safest assumption. The biggest concern here is that most organizations filter outgoing traffic to some extent, block some traffic, etc... In many cases an internal IPv6 host can end up with full Internet access via encapsulation as many times this isn't something IPv4 firewalls have been set up to deal with. Inbound firewall rules are usually deny-everything-except-what-I-expect, outbound rules are often much more confusing (of course, if your outbound rule is allow-everything then IPv6 access is a given anyway). -- openSUSE http://www.opensuse.org/en/ Linux for human beings who need to get things done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Linda Walsh wrote:
Adam Tauno Williams wrote:
That is the purpose of a firewall.
Speaking of which...how do exsiting ipv4 firewalls interact with IPV6?
Many of the ipv6 solutions I see use ipv4 some for of encapsulation to get across "ipv6-dead zones".
So isn't that an open path into your network if your firewall is ipv4 only? Or are all firewalls easily upgraded to ipv6?...
I'm a bit unclear on this -- seems like opening ipv6 inside my ipv4 network is a potentially large and "unmonitorable" security hole, since I can't even see the address as the firewall.
Even WinSP3 when it comes up appears to try to connect to MS ipv6 registration services through my existing ipv4 http proxy!... I shut that down, not knowing exactly what it was doing, but not feeling comfortable, just the same.
This would appear to require buying all new (read, '*expensive*, if it includes IPV6, because it is not 'required' nor the 'norm' -- mostly likely) firewall hardware. Has anyone had any experience in this area?
-linda While I haven't used OpenSUSE's firewall with IPv6, virtual NICs, such as VPN or tunnel endpoints can be seen as just another NIC that the firewall works with.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2009-10-26 at 07:40 -0400, James Knott wrote:
While I haven't used OpenSUSE's firewall with IPv6, virtual NICs, such as VPN or tunnel endpoints can be seen as just another NIC that the firewall works with.
Absolutely; but with the added caveat that they can be created and destroyed on the fly. In practice that can add a bit of complexity. -- OpenGroupware developer: awilliam@whitemice.org http://whitemiceconsulting.blogspot.com/ OpenGroupare & Cyrus IMAPd documenation @ http://docs.opengroupware.org/Members/whitemice/wmogag/file_view -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2009-10-25 at 20:44 -0700, Linda Walsh wrote:
So isn't that an open path into your network if your firewall is ipv4 only? Or are all firewalls easily upgraded to ipv6?...
I'm a bit unclear on this -- seems like opening ipv6 inside my ipv4 network is a potentially large and "unmonitorable" security hole, since I can't even see the address as the firewall.
Yes, This is exactly what i found on a local forum. A Dutch cable-provider started to provide v6 besides v4, and people unexpectedly found that their M$ machines suddenly had an public IPv6 address. Scarry, not? Mostly because they were in the very false assumption that their machines had an (unroutable) rfc1918 address, and an firewall dealing with ipv4. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Tauno Williams wrote:
I use it 8 hours a day, five days a week. Works fine.
It has been supported in Cisco IOS since late 11.x. How long does something have to be around before it isn't "new" anymore? Calling someone who implements IPv6 *now* as cutting or leading edge is ridiculous. No it isn't. Get real, Adam. The support is not out there. Most providers are only just now beginning to dabble with it. What does provider support have to do with deploying IPv6 on your network? There is zero reason to wait for your provider - in fact, that is a bad idea. When your provider shows up with IPv6 support you won't be ready to exploit it. I think someone is living in cloud cuckoo land here.
<snipped>
Ah, "the bigger picture" - now I understand. Of course, how could I be so naive.
It would be nice to have a magic wand to make everything better, but these are in short supply.
Right - a gradual deployment over two years is a wave of a magic wand.
I think anyone designing a new (or a fundamental update of a) commercial network infrastructure around IPv4 is probably not entirely sane, but the growth of IPv6 is mainly going to be determined by the rate of update of physical infrastructure. This process is not going be fast.
With your approach and deep understanding of "the bigger picture" it will be worse than not fast. At least where you are. Weather is great over here.
On the other hand there are few (if any) benefits for IPv6 deployment on home networks, and it is surprising how much home kit is state of the Ark.
Home networks don't have any policy or deployment of anything at all. That is clearly NOT what we are discussing.
*sigh* IPv6 has been around for nearly 20 years, but still has yet to make a really significant impact, and the really important question is why? Which is not quite the same as being hostile to adoption of the technology. Unfortunately, going around like chicken little saying the sky is going to fall is not going to help adoption much (especially after the W2K event which left some organisations wondering where all the millennium bug monies spent on consultation really went :-) and as AFAIK no government has given the address space issues and IPv6 the W2K treatment). I first came across IPv6 in the early 1990s when the UK academic network was involved in complex and fierce debate on whether it should even allow IPv4 and TCP/IP to co-exist on that network with the protocols which were then in use on it (which were considered by some to be superior in terms of security, speed and stability to TCP/IP at that time and if IIRC did not have IPv4s address space issues, and I think existence of IPv6 was used to counter the latter point). As it is, DARPA have commissioned research on the development of a new protocol to replace TCP/IP on the US defence network. (Who knows where that will lead, especially as M$ are one of the contractors...). I.T. usually exists in business to support the business function, and outside of the I.T. industry the business function is not I.T. For most I.T. support and technology is perceived as a cost centre, and everyone knows what happens to cost centres in bad financial times. Unfortunately in the current economic climate, going up to the bean counters and the decision makers with the arguments that IPv4 to IPv6 transition will not take additional resources is more likely to be taken as indicator that ones department has resources to spare ( with an easily predictable result), and asking for additional resources is more likely to indicate to the people involved that one is out of touch with reality (with predictable results about ones perceived credibility). - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkrmzbMACgkQasN0sSnLmgKumwCg0DupCdBox7yfcWIZEV8ljAiL nFMAoOafiY0K2TMcldNPp0FvUbicVokq =Klna -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
OK, I've been watching this thread with great interest, and I still don't understand well enough to know the answer: Matthias Bach wrote:
Hi!
Am Freitag 23 Oktober 2009 11:28:38 schrieb Per Jessen:
G T Smith wrote:
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF...
http://en.wikipedia.org/wiki/IPv6
Also suggests the implementation is not exactly consistent (or as simple as intended)... NAT seems completely superfluous when the networks are dished out as /64.
Well, the practicallity of NAT is that it allows you to bridge other networks to the internet, which themselves ain't part of it. This might be interesting if you want to hide your own network structure, especially if you may only use your uplink for one computer or if your own network is a playground and you don't want to interfere with the rest, but maybe need some limited connectivity to it.
With all the detailed discussion between the Big Guys and their concerns, I still haven't been able to understand whether or how ipv6 handles my situation: My home network is based on a wifi/router/firewall. I buy one line from Cox. As I understand it, more IP addresses would cost correspondingly more; I know this was true for my previous IP. So it's very convenient for me to buy one address, connect my Netgear to it, and use dhcp for the half-dozen devices I have in my home. Since 198.162.x.x addresses cannot pass through a router, my network is private, and the firewall, set up to ignore all attempts at external access, makes me invisible to the Internet unless one of my computers initiates a transaction. How does ipv6 handle this? John Perry -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John E. Perry wrote:
My home network is based on a wifi/router/firewall. I buy one line from Cox. As I understand it, more IP addresses would cost correspondingly more; I know this was true for my previous IP.
That has usually been the case with IPv4 where IP-addresses were a limited resource.
So it's very convenient for me to buy one address, connect my Netgear to it, and use dhcp for the half-dozen devices I have in my home. Since 198.162.x.x addresses cannot pass through a router, my network is private, and the firewall, set up to ignore all attempts at external access, makes me invisible to the Internet unless one of my computers initiates a transaction.
How does ipv6 handle this?
I don't know how this looks from the ISP side, but I read somewhere, probably wikipedia, that the recommendation is for the ISP to dish out a /64 network when someone asks for a static address. That is 18446744073709551616 addresses. You give one to each of your boxes that need external access, and configure your firewall to only accept inbound traffic for your open services. /Per -- Per Jessen, Zürich (6.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John E. Perry wrote:
OK, I've been watching this thread with great interest, and I still don't understand well enough to know the answer:
Matthias Bach wrote:
Hi!
Am Freitag 23 Oktober 2009 11:28:38 schrieb Per Jessen:
G T Smith wrote:
The wiki article below seems to suggest that implementing a form of NAT for IPv6 is under discussion by the IETF...
http://en.wikipedia.org/wiki/IPv6
Also suggests the implementation is not exactly consistent (or as simple as intended)...
NAT seems completely superfluous when the networks are dished out as /64.
Well, the practicallity of NAT is that it allows you to bridge other networks to the internet, which themselves ain't part of it. This might be interesting if you want to hide your own network structure, especially if you may only use your uplink for one computer or if your own network is a playground and you don't want to interfere with the rest, but maybe need some limited connectivity to it.
With all the detailed discussion between the Big Guys and their concerns, I still haven't been able to understand whether or how ipv6 handles my situation:
My home network is based on a wifi/router/firewall. I buy one line from Cox. As I understand it, more IP addresses would cost correspondingly more; I know this was true for my previous IP.
According to the spec, the ISP is supposed to give you a huge block of addresses (/64?), so you won't have to pay more.
So it's very convenient for me to buy one address, connect my Netgear to it, and use dhcp for the half-dozen devices I have in my home. Since 198.162.x.x addresses cannot pass through a router, my network is private, and the firewall, set up to ignore all attempts at external access, makes me invisible to the Internet unless one of my computers initiates a transaction.
How does ipv6 handle this?
IPv6 includes local network ranges that are not passed over the internet. One range can be routed internally and another cannot. Either of those can be used, according to your needs. You also do not need a DHCP server as your addresses (yes, you can have more than one) are based on your MAC address. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
John E. Perry wrote:
OK, I've been watching this thread with great interest, and I still don't understand well enough to know the answer:
Thank you, James; you seem to be the only one who understood my question...
My home network is based on a wifi/router/firewall. I buy one line from Cox. As I understand it, more IP addresses would cost correspondingly more; I know this was true for my previous IP.
According to the spec, the ISP is supposed to give you a huge block of addresses (/64?), so you won't have to pay more.
This was the first point of my question: I don't want to have to buy half a dozen addresses. (BTW, I just saw my error below -- I of course meant 192.168.x.x).
So it's very convenient for me to buy one address, connect my Netgear to it, and use dhcp for the half-dozen devices I have in my home. Since 198.162.x.x addresses cannot pass through a router, my network is private, and the firewall, set up to ignore all attempts at external access, makes me invisible to the Internet unless one of my computers initiates a transaction.
How does ipv6 handle this?
IPv6 includes local network ranges that are not passed over the internet. One range can be routed internally and another cannot. Either of those can be used, according to your needs. You also do not need a DHCP server as your addresses (yes, you can have more than one) are based on your MAC address.
And this took care of the second point. I do not, and do not intend to, implement a public server of any kind, or manage my network remotely, or do anything else that might require me to open any of my network to externally initiated transactions. So, I have no reason, apparently, not to go ipv6 except that my wireless router (Netgear WPN824v2) doesn't support it. If I ever want to change it out, I won't have to ignore ipv6 offerings, then. jp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2009-10-29 at 10:48 -0400, John E. Perry wrote:
James Knott wrote:
John E. Perry wrote:
OK, I've been watching this thread with great interest, and I still don't understand well enough to know the answer: Thank you, James; you seem to be the only one who understood my question... My home network is based on a wifi/router/firewall. I buy one line from Cox. As I understand it, more IP addresses would cost correspondingly more; I know this was true for my previous IP. According to the spec, the ISP is supposed to give you a huge block of addresses (/64?), so you won't have to pay more. This was the first point of my question: I don't want to have to buy half a dozen addresses. (BTW, I just saw my error below -- I of course meant 192.168.x.x).
Knott is correct. And I guess we assume that ISPs are going to follow the spec. Once your router knows its /64 than it announces that via ICMPv6 and any hosts on the network should auto-configure themselves into that IPv6 subnet. They should automatically be completely addressable Internet nodes, it really is an awesome improvement over IPv4. There isn't any reason for ISPs to be stingy as an ISP should get a [or multiple] /48 giving them each 2^16 /64 subnets for customers. And there are (2^32)-1 /48s inside just 2002::/16 [off the cuff calculation].
So it's very convenient for me to buy one address, connect my Netgear to it, and use dhcp for the half-dozen devices I have in my home. Since 198.162.x.x addresses cannot pass through a router, my network is private, and the firewall, set up to ignore all attempts at external access, makes me invisible to the Internet unless one of my computers initiates a transaction. How does ipv6 handle this? IPv6 includes local network ranges that are not passed over the internet. One range can be routed internally and another cannot. Either of those can be used, according to your needs. You also do not need a DHCP server as your addresses (yes, you can have more than one) are based on your MAC address.
IPv6 interfaces naturally support multiple addresses, unlike IPv4 where you have stupidity like alias interfaces eth0:1, eth0:2, etc... For example an IPv6 interface here has an fe80: (link local), an fdb5:: (internal), and a public address.
And this took care of the second point. I do not, and do not intend to, implement a public server of any kind, or manage my network remotely, or do anything else that might require me to open any of my network to externally initiated transactions.
Just set your IPv6 enabled firewall to block all incoming connections.
So, I have no reason, apparently, not to go ipv6 except that my wireless router (Netgear WPN824v2) doesn't support it. If I ever want to change it out, I won't have to ignore ipv6 offerings, then.
A WAP that knows nothing about IPv6 should still be able to handle IPv6 traffic, it is just a magical bridge afterall. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
A WAP that knows nothing about IPv6 should still be able to handle IPv6 traffic, it is just a magical bridge afterall.
It'll bridge IPv6 to your local network, but not route it to the internet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
IPv6 interfaces naturally support multiple addresses, unlike IPv4 where you have stupidity like alias interfaces eth0:1, eth0:2, etc...
Uh, FYI, that's not necessary for IPv4 either. One interface can easily have multiple addresses without extra names. Just add them with "ip addr add ..." /Per -- Per Jessen, Zürich (10.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (13)
-
Adam Tauno Williams
-
Carlos E. R.
-
Chris Hills
-
G T Smith
-
Hans Witvliet
-
James Knott
-
John E. Perry
-
Ken Schneider - openSUSE
-
Linda Walsh
-
Matthias Bach
-
ne...
-
Per Jessen
-
Philip Dowie