How can I tell if ipv6 is running in 10.1 and how can I turn it off if it is? TIA Paul
On Wednesday 24 May 2006 20:00, Paul Kaplan wrote:
How can I tell if ipv6 is running in 10.1 and how can I turn it off if it is? TIA Paul
Hi Paul, I'm running 10.1 and IPv6 appears to be enabled by default. At least it shows up when I run 'ifconfig -a' as root. Several SLE members contributed to the solution, below, including Joachim Schrod, Darryl Gregorash and Michael James (gotta give credit where it's due... this one *works*!) in /etc/sysconfig/SuSEfirewall2: FW_IPv6="no" FW_IPv6_REJECT_OUTGOING="" in /etc/sysconfig/windowmanager: KDE_USE_IPV6="no" Add the following lines to /etc/modprobe.conf.local: # We don't need and don't want no stinkin' IPv6 install sit0 /bin/true install ipv6 /bin/true install net-pf-10 /bin/true hth & regards, Carl
On Wednesday 24 May 2006 20:40, Carl Hartung wrote:
On Wednesday 24 May 2006 20:00, Paul Kaplan wrote:
How can I tell if ipv6 is running in 10.1 and how can I turn it off if it is? TIA Paul
Hi Paul,
I'm running 10.1 and IPv6 appears to be enabled by default. At least it shows up when I run 'ifconfig -a' as root. Several SLE members contributed to the solution, below, including Joachim Schrod, Darryl Gregorash and Michael James (gotta give credit where it's due... this one *works*!)
in /etc/sysconfig/SuSEfirewall2: FW_IPv6="no" FW_IPv6_REJECT_OUTGOING=""
in /etc/sysconfig/windowmanager: KDE_USE_IPV6="no"
Add the following lines to /etc/modprobe.conf.local: # We don't need and don't want no stinkin' IPv6 install sit0 /bin/true install ipv6 /bin/true install net-pf-10 /bin/true
hth & regards,
Carl Thank you. Now I have my wireless restored!!! Seems that this should be an option in YAST. Paul
On Wednesday 24 May 2006 21:06, Paul Kaplan wrote:
Thank you. Now I have my wireless restored!!! Seems that this should be an option in YAST. Paul
But a text editor is soooo much faster! ;-) Glad it worked out, Paul, but your thanks really must go to Joachim, Darryl and Michael. It's an elegant, effective and straightforward solution... that's why I saved it. regards, Carl
Glad it worked out, Paul, but your thanks really must go to Joachim, Darryl and Michael. It's an elegant, effective and straightforward solution... that's why I saved it.
regards,
Carl
My thanks to them as well. And that's one reason we all like Linux...customer support is friendly and effective and no credit card charges! P
On Wednesday 24 May 2006 06:45 pm, Paul Kaplan wrote:
Glad it worked out, Paul, but your thanks really must go to Joachim, Darryl and Michael. It's an elegant, effective and straightforward solution... that's why I saved it.
regards,
Carl
My thanks to them as well. And that's one reason we all like Linux...customer support is friendly and effective and no credit card charges!
I know, the first level support for SUSE rox! :P I image it is the same for the Fedora and Mandriva groups too. -- k
Carl Hartung wrote:
Glad it worked out, Paul, but your thanks really must go to Joachim, Darryl and Michael. It's an elegant, effective and straightforward solution... that's why I saved it.
Carl et al - I'd be interested to know why IPv6 is causing a problem for you? My impression is that SUSE left it in as it shouldn't hurt anyone, and I haven't seen it cause any problems here either. If it's a problem in certain situations, it would seem a better choice not to leave it active by default (given the huge masses of people that use IPv6). /Per Jessen, Zürich
On Thursday 25 May 2006 03:14, Per Jessen wrote:
Carl Hartung wrote:
Glad it worked out, Paul, but your thanks really must go to Joachim, Darryl and Michael. It's an elegant, effective and straightforward solution... that's why I saved it.
Carl et al - I'd be interested to know why IPv6 is causing a problem for you? My impression is that SUSE left it in as it shouldn't hurt anyone, and I haven't seen it cause any problems here either. If it's a problem in certain situations, it would seem a better choice not to leave it active by default (given the huge masses of people that use IPv6).
/Per Jessen, Zürich Can't say why it's a problem, but I noticed that the Ubuntu wireless trouble shooting page also suggests disabling IPV6 as a possible solution to connection woes. Seems to be problematic for wireless (possibly older cards), but not wired connections. Paul
On Thu, 2006-05-25 at 04:49 -0400, Paul Kaplan wrote:
Can't say why it's a problem,
DNS resolution. Some programs try to resolve IPv6 addresses first if they detect IPv6 is in use. So it's not until a lengthly timeout occurs that a IPv4 address resolution attempt is done. It would be nice to see some SOHO security appliances come with IPv6 name resolution built-in. I've been meaning to get involved with IPCop to nip that issue in the butt. -- Bryan P.S. Pre-configuring IPv6 LINK LOCAL addresses by default isn't a bad idea. Unfortunately, too many libraries always assume DNS is available -- including trying IPv6 first. -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ----------------------------------------------------------- Americans don't get upset because citizens in some foreign nations can burn the American flag -- Americans get upset because citizens in those same nations can't burn their own
On Thursday 25 May 2006 03:14, Per Jessen wrote:
Carl et al - I'd be interested to know why IPv6 is causing a problem for you?
Hi Per, It isn't causing any problems for me and I haven't disabled it, either. ;-) I just kept that solution in my archive because I'd seen a few situations like Paul's respond favorably. Carl
Per Jessen wrote:
Carl Hartung wrote:
Glad it worked out, Paul, but your thanks really must go to Joachim, Darryl and Michael. It's an elegant, effective and straightforward solution... that's why I saved it.
Carl et al - I'd be interested to know why IPv6 is causing a problem for you?
It caused problems in a mixed environment with other systems (Windows, Solaris, and AIX). There clients tried to access servers via IPv6 even though the server software didn't listen there, waiting for timeouts until the IPv4 connection was tried. Instead of figuring out why that is so, it was easier to discard it all together. It might work today, as IPv6 support is supposed to be better -- but I don't know since no trigger occured to me to revise that decision: I haven't experienced a situation where IPv6 would be an advantage to my current setup. In addition, I don't want IPv6 on my firewall or on any host in my DMZ. First, for principle reasons, since on my firewall and on DMZ hosts nothing is installed or activated that is not needed. Second, because iptables and IPv6 don't work as well together (no stateful filtering). Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
On 25/05/06 09:12, Joachim Schrod wrote:
Per Jessen wrote:
Carl Hartung wrote:
Glad it worked out, Paul, but your thanks really must go to Joachim, Darryl and Michael. It's an elegant, effective and straightforward solution... that's why I saved it.
Carl et al - I'd be interested to know why IPv6 is causing a problem for you?
It caused problems in a mixed environment with other systems (Windows, Solaris, and AIX). There clients tried to access servers via IPv6 even though the server software didn't listen there, waiting for timeouts until the IPv4 connection was tried. Instead of figuring out why that is so, it was easier to discard it all together. It might work today, as IPv6 support is supposed to be better -- but I don't know since no trigger occured to me to revise that decision: I haven't experienced a situation where IPv6 would be an advantage to my current setup.
In addition, I don't want IPv6 on my firewall or on any host in my DMZ. First, for principle reasons, since on my firewall and on DMZ hosts nothing is installed or activated that is not needed. Second, because iptables and IPv6 don't work as well together (no stateful filtering).
There are in fact two different modules for iptables -- iptables itself, which supports only ipv4, and ip6tables, which has the ipv6 support. Ip6tables does not support stateful firewalling, but iptables always does, even if ip6tables is loaded. I have no experience with the wireless problem that was mentioned, but I have in the past experienced the same problem you mentioned with some applications when ipv6 was enabled. The ones I used have now been fixed, but other software may still have the same or similar problem. It is much easier (and less frustrating) just to disable ipv6 if it is not being used.
On Thu, 25 May 2006 05:14 pm, Per Jessen wrote:
I'd be interested to know why IPv6 is causing a problem for you? My impression is that SUSE left it in as it shouldn't hurt anyone,
IPv6 HAS caused me a number of real problems and opens new cans of security worms. Cost: (of connections arriving unexpectedly on IPv6) Breaks (rejects legitimate connections): DNS zone transfer access lists Apache access lists postfix allowed client networks ANY access list based on IP, and probably most based on DNS names. Allows unwanted connections: Well who knows until it's too late, how a firewall predicated on IPv4 is coping in an IPv6 world? Sounds to me like building a gate across half the highway. Benefit: Absolutely nothing! IPv4 ain't broke yet. Conclusion: "# We don't need and don't want no stinkin' IPv6"! my take on it, michaelj -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166 Changing the internet from IPv4 to IPv6 is like changing the wings of a jumbo in flight!
Michael James wrote:
On Thu, 25 May 2006 05:14 pm, Per Jessen wrote:
I'd be interested to know why IPv6 is causing a problem for you? My impression is that SUSE left it in as it shouldn't hurt anyone,
IPv6 HAS caused me a number of real problems and opens new cans of security worms.
I guess I should have said "default IPv6 support in SUSE". There's probably little doubt that actually implementing IPv6 has all kinds of traps and challenges. /Per Jessen, Zürich
Michael James wrote:
IPv6 HAS caused me a number of real problems
I haven't run into any. The only one that bites most people in the rear is the UNIX attitude that you have name resolution -- no different than IPv4.
and opens new cans of security worms.
Huh? Never heard that one. In fact, not only IPv6 was designed to address many of the security issues with IPv4, but many new IPv4 capabilities for security come from IPv6. Common UDP and TCP services, and their security, are _no_different_ under IPv6 than IPv4. On Fri, 2006-05-26 at 15:22 +0200, Per Jessen wrote:
I guess I should have said "default IPv6 support in SUSE". There's probably little doubt that actually implementing IPv6 has all kinds of traps and challenges.
Not really. Other than the common UNIX attitude that you have name resolution (without broadcast), IPv6 is actually a _dream_ IMHO. The FC80::/64 subnet is _always_ the LINKLOCAL IP -- and the lower 64-bits are _directly_ based on your 48-bit MAC address. And support for connecting to IPv4 networks (such as the commercial/global Internet) at the gateway is not difficult at all. Now if you want to route between multiple IPv6 networks, you need a 2nd IPv6 address than the default LINK LOCAL address. BTW, SITE LOCAL is now deprecated because it required registration. -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ----------------------------------------------------------- Americans don't get upset because citizens in some foreign nations can burn the American flag -- Americans get upset because citizens in those same nations can't burn their own
Michael James perhaps unwisely wrote:
IPv6 HAS caused me a number of real problems
Bryan J. Smith > You're a miserable ignoramus. Michael James > I was a perfectly happy ignoramus till you emailed. (With apologies to Major Denis Bloodnok)
On Mon, 2006-05-29 at 14:13 +1000, Michael James wrote:
Bryan J. Smith > You're a miserable ignoramus.
Not "ignoramus," just "ignorant." We have _massive_ FUD in this thread, 100% due to ignorance. Ignorance of why the IPv6 LINK LOCAL is enabled in SuSE Linux and what it does. Ignorance of what my original response meant by "name resolution," etc... And a countless tangent, _continually_ based on the assumption that IPv6 -- as it is enabled in SuSE Linux -- is based on Internet access, which it's the IPv6 LINK LOCAL and 100% _internal_. After a windfall of ignorant FUD, I then provide _accurate_ reasons and root cause about the issue. Then I get railed by the same ignorant FUD. I try to re-explain, and still it's missed. Let alone the _original_ context is lost.
Michael James > I was a perfectly happy ignoramus till you emailed. (With apologies to Major Denis Bloodnok)
Sometimes, it's better to just let the masses bath in it. And just let the FUD stand. -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ----------------------------------------------------------- Americans don't get upset because citizens in some foreign nations can burn the American flag -- Americans get upset because citizens in those same nations can't burn their own
Bryan J. Smith wrote:
On Mon, 2006-05-29 at 14:13 +1000, Michael James wrote:
Bryan J. Smith > You're a miserable ignoramus.
Not "ignoramus," just "ignorant." We have _massive_ FUD in this thread, 100% due to ignorance.
Are you the Bryan J. Smith that was kicked out of the CentOS mailing list for being obnoxious and arguing about unrelated items? 14 emails in 1 1/2 hour about a topic that is 100% unrelated to SUSE. Cut it off! Enough is enough.
On Mon, 2006-05-29 at 09:49 -0700, suse@911networks.com wrote:
Are you the Bryan J. Smith that was kicked out of the CentOS mailing list for being obnoxious and arguing about unrelated items?
Who says I was kicked out? Not so! I'm still on the list dude. I just help people off-list.
14 emails in 1 1/2 hour about a topic that is 100% unrelated to SUSE. Cut it off! Enough is enough.
I'm not the only one responding. No offense. -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ------------------------------------------------------- Illegal Immigration = "Representation Without Taxation"
On Mon, 2006-05-29 at 12:58 -0400, Bryan J. Smith wrote:
Who says I was kicked out? Not so! I'm still on the list dude. I just help people off-list.
Furthermore, I've been actively donating my time and code to both it and associated projects. I just decided that I got tired of my comments and help being railroaded by people who wanted to talk about things being "broken" and "bad." E.g., SELinux BTW, this will be _last-post_ _on-list_. I think this is another CentOS where 90+% of people want to take things out-of-context and not help the _original_ poster in tangents about things being "wrong" or "broken." I will just help people 100% off-list. -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ------------------------------------------------------- Illegal Immigration = "Representation Without Taxation"
On Mon, 2006-05-29 at 13:02 -0400, Bryan J. Smith wrote:
I think this is another CentOS where 90+% of people want to take things out-of-context and not help the _original_ poster in tangents about things being "wrong" or "broken."
Correction, I meant 90+% of people who respond to me ... _not_ 90+% of the list as a whole -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ------------------------------------------------------- Illegal Immigration = "Representation Without Taxation"
Bryan J. Smith wrote:
Who says I was kicked out? Not so! I'm still on the list dude.
I just help people off-list.
Why don't you apply the same policy on this list.
14 emails in 1 1/2 hour about a topic that is 100% unrelated to SUSE. Cut it off! Enough is enough.
I'm not the only one responding.
So far it's 18 from you in the last 2 hours. You seem to bring the worst arguments in people. Instead of arguing philosophy why don't you actually answer technical question and give the code for it.
Bryan J. Smith wrote:
On Mon, 2006-05-29 at 14:13 +1000, Michael James wrote:
Bryan J. Smith > You're a miserable ignoramus.
Not "ignoramus," just "ignorant."
What's the difference?
Let alone the _original_ context is lost.
Let alone _that_ in the dark!
On 26/05/06 20:25, Bryan J. Smith wrote:
Michael James wrote:
IPv6 HAS caused me a number of real problems
I haven't run into any. The only one that bites most people in the rear is the UNIX attitude that you have name resolution -- no different than IPv4.
Install 9.0, do not install any updates; leave ipv6 enables, but do not do anything with it beyond allowing the LINKLOCAL ip to be assigned on the external interface. Then ftp (lukemftp package) to a known site that has a public ipv6 address (such as ftp.mozilla.org). Watch ftp wait forever for a response, because it is in a perennial loop, trying to send a SYN packet to an ipv6 address, originating from a LINKLOCAL ip. Oh, the version of mozilla included in the non-updated 9.0 distribution also has the same defect. I do not know the situation with 9.3, because as soon as I installed it, I disabled ipv6 globally. I do know that both mozilla and the lukemftp ftp client will timeout now (they did, after all, report the bugs as resolved), but I have no idea what the timeout is -- nor do I wish to find out. Unless and until I have an external public ipv6 ip, ipv6 is disabled on my system.
Now if you want to route between multiple IPv6 networks, you need a 2nd IPv6 address than the default LINK LOCAL address. BTW, SITE LOCAL is now deprecated because it required registration. Quite so, and if you do not have it, then you are SOL until you disable ipv6 -- globally.
I still haven't found out how to enable ipv6 on the internal interface, but disable it on the external. I do not think it can be done in SuSE as it stands now, either with Yast or manually (unless one wishes to undertake a massive rewrite of the network/firewall/dhcp configuration scripts, that is).
On Sun, 2006-05-28 at 23:45 -0600, Darryl Gregorash wrote:
Install 9.0, do not install any updates; leave ipv6 enables, but do not do anything with it beyond allowing the LINKLOCAL ip to be assigned on the external interface. Then ftp (lukemftp package) to a known site that has a public ipv6 address (such as ftp.mozilla.org). Watch ftp wait forever for a response, because it is in a perennial loop, trying to send a SYN packet to an ipv6 address, originating from a LINKLOCAL ip.
Again, name resolution issue. If you mix IPv6 LINK LOCAL with IPv4 PUBLIC, without either providing a IPv6 PUBLIC (or old SITE LOCAL) -- or much easier -- just put in a router that handles such IPv4 to IPv6 issues, yes, you'll run into this. Is this any different than issues with IPv4? Nope. I'm _not_ against disabling IPv6. But I _am_ against _incorrect_ FUD being spread. Including what the problems are, that IPv6 is "broken," etc... -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ----------------------------------------------------------- Americans don't get upset because citizens in some foreign nations can burn the American flag -- Americans get upset because citizens in those same nations can't burn their own
Please reply only to the list; thanks. On 29/05/06 09:42, Bryan J. Smith wrote:
On Sun, 2006-05-28 at 23:45 -0600, Darryl Gregorash wrote:
Install 9.0, do not install any updates; leave ipv6 enables, but do not do anything with it beyond allowing the LINKLOCAL ip to be assigned on the external interface. Then ftp (lukemftp package) to a known site that has a public ipv6 address (such as ftp.mozilla.org). Watch ftp wait forever for a response, because it is in a perennial loop, trying to send a SYN packet to an ipv6 address, originating from a LINKLOCAL ip.
Again, name resolution issue.
No, it is *not* a name resolution issue. Name resolution works just fine. The problem is what happens after that. You might try actually reading what people are saying to you before replying. When you do reply, try phrasing things like you are talking to the general public (which is who the list participants are) and not a conference room full of software engineers or members of the IEEE. It does not matter that it is a client error, not (afaik) an error in the ipv6 implementation. The only thing that matters to most people is that the problem only shows up when ipv6 is enabled, and it is highly detrimental to the functionality of the system. Your contributions to this thread have not helped them one iota in resolving that issue. Most people don't care in the slightest about linklocal, site local, public and all that nice stuff. All they know is they have an IP (or instructions to use dhcp) from their internet provider, and when they use it they have a problem.
If you mix IPv6 LINK LOCAL with IPv4 PUBLIC, without either providing a IPv6 PUBLIC (or old SITE LOCAL) -- or much easier -- just put in a router that handles such IPv4 to IPv6 issues, yes, you'll run into this.
Yes, let's all just rush right out and set up a 6to4 tunnel. I am sure that every list participant knows how to do that already. Oh wait, *I* don't even know how to do that already, and I have been trying to make sense out of the various howtos on the subject for quite some time now. They're just one more example of why you do not want the software author to write the documentation.
Bryan J. Smith wrote:
Michael James wrote:
IPv6 HAS caused me a number of real problems
I haven't run into any. The only one that bites most people in the rear is the UNIX attitude that you have name resolution -- no different than IPv4.
I don't understand what "UNIX attitude" you mean. That I want to use human-readable service host names in my applications and expect that they are mapped transparently to IP addresses (and that it's irrelevant if these are v4 or v6 addresses)? (For the record, I do so, as do most of my customers.) If that is an adequate summary of the "UNIX attitude", do you think that's bad or that's good? If you think that the "attitude to have name resolution" is bad, how do you expect people (e.g., users in their browsers or system administrators in configuration files) to address services in an IPv6 network? With IPv6 addresses?
and opens new cans of security worms.
Huh? Never heard that one. In fact, not only IPv6 was designed to address many of the security issues with IPv4, but many new IPv4 capabilities for security come from IPv6.
Would you please supply a URL to a free firewall solution for Linux that does stateful firewalling for IPv6? ip6tables doesn't support this, according to the netfilter homepage. And Checkpoint VPN-1 is a tad too expensive for many SOHO companies and for private use... TIA for answers, especially for a firewall solution, Joachim PS: You don't need to explain me what IPv6 is; I plan its implementation in companies and know about it by heart. But your enthuisiastic fanboyism for it doesn't match the experiences from my deployment projects. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
On Mon, 2006-05-29 at 13:21 +0200, Joachim Schrod wrote:
I don't understand what "UNIX attitude" you mean. That I want to use human-readable service host names in my applications and expect that they are mapped transparently to IP addresses (and that it's irrelevant if these are v4 or v6 addresses)? (For the record, I do so, as do most of my customers.)
And then IPv6 is 100% the same as IPv4. Even the /etc/hosts file. ;->
If that is an adequate summary of the "UNIX attitude", do you think that's bad or that's good?
All NOSes require network name resolution. The legacy Novell-Windows world has been broadcast (even if only an option or default now). UNIX has always required passive. That means either local host entries, DNS server, etc...
If you think that the "attitude to have name resolution" is bad,
No -- the key is recognizing that name resolution is _always_ required! UNIX is just passive in its design ... _always_. ;->
how do you expect people (e.g., users in their browsers or system administrators in configuration files) to address services in an IPv6 network? With IPv6 addresses?
First off, it's the same as IPv4, NAT/PAT. But that aside ... the "root cause" isn't IPv6. It's that the appplications are waiting to "time out" on IPv6 name resolution. So, secondly, using internal DNS proxy servers solves the problem nicely. You need to _address_ that timeout. If you do, no problem.
Would you please supply a URL to a free firewall solution for Linux that does stateful firewalling for IPv6? ip6tables doesn't support this, according to the netfilter homepage. And Checkpoint VPN-1 is a tad too expensive for many SOHO companies and for private use... TIA for answers, especially for a firewall solution,
Again, you don't have to at the NAT/PAT. It's the IPv6 name resolution that is the root cause. Address the timeout on your internal DNS proxy, and the problem is solved!
Joachim PS: You don't need to explain me what IPv6 is; I plan its implementation in companies and know about it by heart. But your enthuisiastic fanboyism for it doesn't match the experiences from my deployment projects.
It's a lot easier to deal with than 1:1 IPv4 NAT. ;-> -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ----------------------------------------------------------- Americans don't get upset because citizens in some foreign nations can burn the American flag -- Americans get upset because citizens in those same nations can't burn their own
Bryan J. Smith wrote:
But that aside ... the "root cause" isn't IPv6. It's that the appplications are waiting to "time out" on IPv6 name resolution.
If you call that the "UNIX attitude", you have an attitude problem yourself. Try that on a current Windows system in any sizable installation (i.e., one that utilizes AD and modern Windows (DNS-based) naming service) and look how your broadcast assumption goes down the drain.
So, secondly, using internal DNS proxy servers solves the problem nicely. You need to _address_ that timeout. If you do, no problem.
If you think that's the main issue in IPv6 deployments, you're in for a few surprises. The main problem is not DNS, but applications where their IPv6 support does not work as intended. That means, the root cause are very often software errors and not configuration errors. But then, you dodged the much more important question:
Would you please supply a URL to a free firewall solution for Linux that does stateful firewalling for IPv6? ip6tables doesn't support this, according to the netfilter homepage. And Checkpoint VPN-1 is a tad too expensive for many SOHO companies and for private use...
Again, you don't have to at the NAT/PAT. It's the IPv6 name resolution that is the root cause.
Sorry, but who did ask for a NAT/PAT solution? I didn't. And I don't have a name resolution problem at the firewall either. I asked for a *stateful* *firewall* because you told us that IPv6 has no associated security issues. (You discarded that argument in your response.) Please note that such a firewall is something one needs for security reasons, not to enable NAT. And name resolution has *NOTHING* to do with it. Been thrown back to packet filtering is not sufficient nowadays, even for SOHO installations. I.e., I asked for a firewall that tracks the state of TCP network connections and doesn't allow connections that make invalid requests. In its most rudiment establishment, it only tracks request/response flows, that no response is forwarded without an appropriate fitting request and that SEQ/ACK pairs fit. In its sophisticated form, it really tracks the state of the TCP protocol in question, e.g., that a DATA is not sent before a MAIL request in an SMTP connection. An answer for the former, simpler, firewall would be sufficient at first. Again, if you tell us that there are no security issues with IPv6, please supply a URL for such a Linux product, free or very cheap. Netfilter ain't it, they support stateful filtering only for IPv4, see http://www.netfilter.org/.
Address the timeout on your internal DNS proxy, and the problem is solved!
If this solved all your IPv6 problems -- frankly, I assume that you haven't had many big installations. I rolled out IPv6 in companies with 10,000s of systems and 1,000s of applications, and let me tell from my experience: it ain't so easy. If it were so, the projects wouldn't need months to finish, it would be a matter of weeks instead. But even if we take your statement for granted, it _is_ actually an argument against IPv6 in SOHO (`small office, home office') environments: There nobody wants to care about proper installation of their internal DNS proxy when they have to do it manually and when it is not supplied out-of-the-box by their distributor. And as long as that's the case, I can understand why people want to turn it off in their installations -- they don't need it and it only disturbs them. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
On Mon, 2006-05-29 at 18:35 +0200, Joachim Schrod wrote:
If you call that the "UNIX attitude", you have an attitude problem yourself. Try that on a current Windows system in any sizable installation (i.e., one that utilizes AD and modern Windows (DNS-based) naming service) and look how your broadcast assumption goes down the drain.
First off, I _did_ say "legacy." Secondly, now that's what the MCSE manuals say! There are still a _lot_ of legacy services and details that use NetBIOS. It's improved in Windows Server 2003, but they are still there. ;-> Hence why "Native mode" ADS is not as "native" as Microsoft says it is. ;-> The Samba docs are great at talking about that at length. ;-> Again, it's improved in Windows Server 2003. But there are still a lot of things in Windows 2000, including Windows XP, that aren't. ;->
If you think that's the main issue in IPv6 deployments, you're in for a few surprises. The main problem is not DNS, but applications where their IPv6 support does not work as intended. That means, the root cause are very often software errors and not configuration errors.
I meant with regards to applications that ass-u-me IPv4 services.
But then, you dodged the much more important question:
Because I'm _not_ routing IPv6 to the Internet. It's like asking me how I use NFS over the Internet.
Sorry, but who did ask for a NAT/PAT solution? I didn't.
Why not? You want to assign public IPv6 to each and every host? Haven't you followed the SITE LOCAL discussions (and subsequent deprecation)?
And I don't have a name resolution problem at the firewall either.
Exactomundo! I don't need to do IPv6 across the firewall!
I asked for a *stateful* *firewall* because you told us that IPv6 has no associated security issues. (You discarded that argument in your response.)
Really? I said that? I said IPv6 has _no_additional_ security issues over IPv4. Please do not misquote me. ;->
Please note that such a firewall is something one needs for security reasons,
Okay, I'll play this game ... First off, how do you define "firewall"? To make an ass-u-mption, by "stateful packet filter" (SPF), you meant a layer 2-4 firewall. And that's before we start talking about deny v. allow defaults -- not only incoming, but outgoing. What about layer 5-7? What about proxy? What about even layer-3 (IPv6 to/from IPv4)?
I.e., I asked for a firewall that tracks the state of TCP network connections and doesn't allow connections that make invalid requests.
And I said I do _not_ address IPv6 at the Internet perimeter, because I do _not_ let IPv6 cross the Internet perimeter. The rest of your commentary is based on what you thought I said. I can't answer those, because I didn't say them. IPv6 simplifies many things over IPv4. I'd much rather put in IPv6 than 1:1 IPv4 NAT. -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ----------------------------------------------------------- Americans don't get upset because citizens in some foreign nations can burn the American flag -- Americans get upset because citizens in those same nations can't burn their own
Bryan J. Smith wrote:
I asked for a *stateful* *firewall* because you told us that IPv6 has no associated security issues. (You discarded that argument in your response.)
Really? I said that? I said IPv6 has _no_additional_ security issues over IPv4. Please do not misquote me. ;->
OK. Then, for the list archive: The additional security issue of IPv6 over IPv4 is the missing stateful firewall that is available for IPv4, but not for IPv6. Bryan blabbered around alot and made big noise on his solitary haystack, trying to be the biggest cock, but the result remains the same: he couldn't supply a URL because no such firewall exists. Instead he made up some irrelevant stuff about Internet connections, as if firewalls would only be used on Internet perimeters and not also on internal perimeters or on company interconnects. I think I can cut that crap now, disregard his obnoxious behavior, and don't need to bother further. *PLONK* Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
participants (10)
-
Alvaro Kuolas -
Bryan J. Smith -
Carl Hartung -
Darryl Gregorash -
Joachim Schrod -
kai -
Michael James -
Paul Kaplan -
Per Jessen -
suse@911networks.com