[plug] IPv6

[Tim White]

On 29/02/12 03:15, Alexander Hartner wrote:
> Hi all,
>
> Some of us might be getting IPv6 this year so I though to prepare 
> myself for when the time it right. What I found out was that IPv6 does 
> not support NAT which shocked me initially. I really like the 
> separation of an internal and external network. It allowed me to 
> configure my internal firewall to allow access to all machines on the 
> internal network by simply specifying 192.168.1.0/24 for example. 
> Using NAT on my router also provided me with added security as I could 
> map specific protocols to specific computers on the internal network. 
> The fact that the internet was running out of addresses was really 
> secondary in my thoughts as all I needed was a single IP address.
>
> No with IPv6 on the horizon this is all about to change. I was 
> wondering since several of the plug services already support IPv6 if 
> anybody could give me some suggestion on how to deal with this ?
>
> Will I need to setup a firewall around each and every device on my 
> network ? Since each of them has an "external" address what is 
> preventing anybody from accessing it if it didn't have a firewall.
>
> In particular:
> How can I identify all internal devices, do I have to list them 
> individually ? Is this done with the prefix ?
>
> My router allows me to set a prefix for internal devices which get 
> their address from it using DHCP ? What is preventing me from picking 
> the same prefix as somebody else and how is this handled ?
>
> If my local DHCP server is offering IPv6 addresses how are conflicts 
> handled ?
>
> Is it possible to use a personalised scheme in the address. For 
> example each machines in a given building (99) use a specific range 
> (192.168.99.x). (Not that I have building, just in theory).

Hi Alex

Firstly, NAT was never the intended way for the internet to work, which 
was connectivity end to end. Lots of people have gotten "lazy" thinking 
that NAT is providing them with security, and so they don't worry about 
firewalls etc. So yes, you will need a firewall on each device that is 
connected to the internet, and this is how it should have always been.
As you will have a router that connects the device 'internally' to the 
outside world, it can still firewall off your internal network, 
providing some protection. Just because something has a public ip 
address, doesn't mean you can connect to it. We often think when we 
setup a linux router, that things like ESTABLISHED and RELATED 
connections referres to NATted connections. However, it can refer 
equally as well to "forwarded" connections. We just don't normally have 
plain forwarded connections as we are used to using private ip's in the 
home, and there for need to NAT them to a public ip.

Generally with IPv6 you'll get a "subnet" for your network, so 
everything internal can easily be identified by that subnet (prefix) you 
have. Sometimes your router will have a different address, and 
everything for your subnet is routed via your routers address. For 
example, my router is 2001:388:f000::1b2b and my internal subnet is 
2001:0388:e000:b300::/64.
As for "DHCP". Chances are you'll be using the ipv6 auto config stuff. 
Any device that connects to my home network will automatically get an 
ipv6 address, that should be conflict free due to how ipv6 auto config 
works. Yes, you could personalise the address scheme, however I probably 
wouldn't worry too much about it, and just sort out proper DNS (even if 
it's only local "home.lan" kind of DNS) so you can address your 
computers easily.

Curious, who do you expect to be getting IPv6 via? I'd suggest that most 
people should start looking at IPv6 now, via aarnet 
(broker.aarnet.net.au) and start learning how to use it, and how to 
secure it.

Hope that helps.

Tim