[Info-vax] implementing IPv6 on the internet
Dirk Munk
munk at home.nl
Tue Sep 20 05:47:08 EDT 2016
This contribution is not about VMS, it is about IPv6 and the way it is
introduced.
Stephen Hoffman tells us we have to concentrate on the introduction and
use of IPv6, en let me be very clear about this, he is absolutely right.
I have been advocating IPv6 for over 10 years now, so we have no
difference of opinion there.
IPv6 has been under development for over 20 years now, so you might
think there is a clear concept how it all has to work, but alas this is
not the case. By far the most global IPv6 addresses will be found in the
home LANs of consumers, so how to deal with those addresses is something
that should have been high on the agenda of the IETF. Should have been,
but it wasn’t, it was completely forgotten.
To explain what I mean, let’s start with IPv4. The only global IPv4
address that you have at home will be the WAN address of your router (if
you’re lucky), all the IPv4 addresses on your LAN are private addresses.
If you’re not lucky, your ISP uses carrier grade NAT, and you will also
have a private address on the WAN port of your router. I will not go
into that.
That IPv4 address usually will also have some cryptic DNS name attached
to it, but since the address will be dynamic, the DNS name will also be
dynamic. To overcome this problem, you may register your router with a
DNS name of your liking at a dynamic DNS organisation like Dyndns. Your
router will take care that its WAN address is kept up to date at that
organization. However that DNS name is always an alias. Reversed name
lookup (address > DNS name) will never show the DNS name you choose, it
will always show the cryptic DNS name of your ISP. After all he DNS
server of your ISP is the authoritative name server for that address
space, not the name server of your dynamic DNS organization.
If you want to reach a device on your LAN from the internet, you address
a certain port number on the WAN address of your router, and by means of
port forwarding it will be translated to an IP address and port number
on your LAN. You will all be familiar with this concept.
With IPv6 things are very different. First of all there are three kind
of IPv6 addresses (actually there are more). The first is the Link Local
address, it is present on very IPv6 enabled interface, whether or not
there is an actual IPv6 network present. It starts with fe80:: , and
these are non-routable addresses. Then we have the global IPv6 address,
it often starts with something like 2001:: . And then we have the
Unique Local Addresses (ULA), they can be seen as the IPv6 equivalent of
IPv4 private addresses. They start with something like fd00:: .
Every device on your LAN will get at least one global IPv6 address. That
address will be used on the internet. If you want to reach that device
from the internet, you will have to use that IPv6 address, not the IPv6
address of the WAN port of your router. It should also have a DNS name.
In fact it is good practice that every IP address on the internet has a
DNS name. That means every global IPv6 address (all IPv6 capable devices
on your LAN) should be registered with a DNS name at some DNS server.
Which DNS server should that be? Very simple, the DNS server of your
ISP. It is the authoritative name server for that address space. Every
consumer should get his own (sub)domain there, and your router will be
responsible for adding the addresses and DNS names, that is the general
idea. You don’t want address spoofing etc, so it has to be done in a
very secure way.
The ideas are there, but nothing has been defined in RFC’s yet. You can
not buy any router that can do this, no ISP is prepared for this massive
task. And yet we are implementing IPv6 with consumers right now,
wonderful isn’t it?
The ULA addresses are also very important. On your home LAN you should
use those addresses for communicating between devices. Your router
should be a DNS server for a local domain. That way if the connection
with the internet is lost, you still have a fully functioning network.
My personal idea is that if you use global IPv6 addresses for
communicating between devices on your LAN, it should be handled as
traffic from the internet. This way you can check accessibility of
devices from the internet. Since there is no ARP with IPv6, I have the
idea that it should be possible to set this up.
After you’ve read all of this, I hope you can understand why I’m so
cynical about IP. It’s not that I don’t want IPv6, on the contrary we
need it badly. In fact we are at least 5 years late with the
implementation. But how stupid must you be if you start implementing a
completely new network architecture (which IPv6 is!) , and leave such an
enormous gaping hole in the concept? After all, most of the IPv6 address
will be at peoples homes, certainly when the Internet Of Things starts
picking up.
Conceptual thinking is lacking, also with security If telnet is not
secure, let’s build something completely new with its own security
(SSH). If FTP isn’t secure, well then let’s use SFTP, or FTPS, or SCP
or …….. Not to mention the different versions of FTP itself of course
(active, passive..).
What we need are clear, well defined concepts, and proper standards that
reflect these. What we also need are proper test suites to check if
everything works as it should, if everything is secure, and so on.
Any comments are welcome.
More information about the Info-vax
mailing list