Bryan J. Smith wrote:
But that aside ... the "root cause" isn't IPv6. It's that the appplications are waiting to "time out" on IPv6 name resolution.
If you call that the "UNIX attitude", you have an attitude problem yourself. Try that on a current Windows system in any sizable installation (i.e., one that utilizes AD and modern Windows (DNS-based) naming service) and look how your broadcast assumption goes down the drain.
So, secondly, using internal DNS proxy servers solves the problem nicely. You need to _address_ that timeout. If you do, no problem.
If you think that's the main issue in IPv6 deployments, you're in for a few surprises. The main problem is not DNS, but applications where their IPv6 support does not work as intended. That means, the root cause are very often software errors and not configuration errors. But then, you dodged the much more important question:
Would you please supply a URL to a free firewall solution for Linux that does stateful firewalling for IPv6? ip6tables doesn't support this, according to the netfilter homepage. And Checkpoint VPN-1 is a tad too expensive for many SOHO companies and for private use...
Again, you don't have to at the NAT/PAT. It's the IPv6 name resolution that is the root cause.
Sorry, but who did ask for a NAT/PAT solution? I didn't. And I don't have a name resolution problem at the firewall either. I asked for a *stateful* *firewall* because you told us that IPv6 has no associated security issues. (You discarded that argument in your response.) Please note that such a firewall is something one needs for security reasons, not to enable NAT. And name resolution has *NOTHING* to do with it. Been thrown back to packet filtering is not sufficient nowadays, even for SOHO installations. I.e., I asked for a firewall that tracks the state of TCP network connections and doesn't allow connections that make invalid requests. In its most rudiment establishment, it only tracks request/response flows, that no response is forwarded without an appropriate fitting request and that SEQ/ACK pairs fit. In its sophisticated form, it really tracks the state of the TCP protocol in question, e.g., that a DATA is not sent before a MAIL request in an SMTP connection. An answer for the former, simpler, firewall would be sufficient at first. Again, if you tell us that there are no security issues with IPv6, please supply a URL for such a Linux product, free or very cheap. Netfilter ain't it, they support stateful filtering only for IPv4, see http://www.netfilter.org/.
Address the timeout on your internal DNS proxy, and the problem is solved!
If this solved all your IPv6 problems -- frankly, I assume that you haven't had many big installations. I rolled out IPv6 in companies with 10,000s of systems and 1,000s of applications, and let me tell from my experience: it ain't so easy. If it were so, the projects wouldn't need months to finish, it would be a matter of weeks instead. But even if we take your statement for granted, it _is_ actually an argument against IPv6 in SOHO (`small office, home office') environments: There nobody wants to care about proper installation of their internal DNS proxy when they have to do it manually and when it is not supplied out-of-the-box by their distributor. And as long as that's the case, I can understand why people want to turn it off in their installations -- they don't need it and it only disturbs them. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany