[plug] IPv6
Tim White
weirdit at gmail.com
Wed Feb 29 07:28:53 WST 2012
On 29/02/12 03:15, Alexander Hartner wrote:
> Hi all,
>
> Some of us might be getting IPv6 this year so I though to prepare
> myself for when the time it right. What I found out was that IPv6 does
> not support NAT which shocked me initially. I really like the
> separation of an internal and external network. It allowed me to
> configure my internal firewall to allow access to all machines on the
> internal network by simply specifying 192.168.1.0/24 for example.
> Using NAT on my router also provided me with added security as I could
> map specific protocols to specific computers on the internal network.
> The fact that the internet was running out of addresses was really
> secondary in my thoughts as all I needed was a single IP address.
>
> No with IPv6 on the horizon this is all about to change. I was
> wondering since several of the plug services already support IPv6 if
> anybody could give me some suggestion on how to deal with this ?
>
> Will I need to setup a firewall around each and every device on my
> network ? Since each of them has an "external" address what is
> preventing anybody from accessing it if it didn't have a firewall.
>
> In particular:
> How can I identify all internal devices, do I have to list them
> individually ? Is this done with the prefix ?
>
> My router allows me to set a prefix for internal devices which get
> their address from it using DHCP ? What is preventing me from picking
> the same prefix as somebody else and how is this handled ?
>
> If my local DHCP server is offering IPv6 addresses how are conflicts
> handled ?
>
> Is it possible to use a personalised scheme in the address. For
> example each machines in a given building (99) use a specific range
> (192.168.99.x). (Not that I have building, just in theory).
Hi Alex
Firstly, NAT was never the intended way for the internet to work, which
was connectivity end to end. Lots of people have gotten "lazy" thinking
that NAT is providing them with security, and so they don't worry about
firewalls etc. So yes, you will need a firewall on each device that is
connected to the internet, and this is how it should have always been.
As you will have a router that connects the device 'internally' to the
outside world, it can still firewall off your internal network,
providing some protection. Just because something has a public ip
address, doesn't mean you can connect to it. We often think when we
setup a linux router, that things like ESTABLISHED and RELATED
connections referres to NATted connections. However, it can refer
equally as well to "forwarded" connections. We just don't normally have
plain forwarded connections as we are used to using private ip's in the
home, and there for need to NAT them to a public ip.
Generally with IPv6 you'll get a "subnet" for your network, so
everything internal can easily be identified by that subnet (prefix) you
have. Sometimes your router will have a different address, and
everything for your subnet is routed via your routers address. For
example, my router is 2001:388:f000::1b2b and my internal subnet is
2001:0388:e000:b300::/64.
As for "DHCP". Chances are you'll be using the ipv6 auto config stuff.
Any device that connects to my home network will automatically get an
ipv6 address, that should be conflict free due to how ipv6 auto config
works. Yes, you could personalise the address scheme, however I probably
wouldn't worry too much about it, and just sort out proper DNS (even if
it's only local "home.lan" kind of DNS) so you can address your
computers easily.
Curious, who do you expect to be getting IPv6 via? I'd suggest that most
people should start looking at IPv6 now, via aarnet
(broker.aarnet.net.au) and start learning how to use it, and how to
secure it.
Hope that helps.
Tim
More information about the plug
mailing list