[Info-vax] implementing IPv6 on the internet

[Stephen Hoffman]

On 2016-09-21 16:31:11 +0000, David Froble said:

> I'm not anti-IPv6, just as I'm not anti-quadword.  But from a practical 
> perspective, I have to ask, how many people, organizations, etc; behind 
> a IPv4 NAT router really need the extended address space.  Right now, 
> as you state, you can forward any ports to any device on today's NAT 
> routers.  So, what's the rush, for this issue anyway, for IPv6?

There's no rush at all, right up until you really need that connectivity.

For VSI or for software developers, this means that most folks won't 
use IPv6 right up until they really need to light it up and use it.

Same as usual, in terms of the pattern of adoption of newness.

> Now, where I do see a problem, and IPv6 will not address it if I 
> understand it correctly, is that if some device can be accessed from 
> outside, and it's not so secure, it's inside your router and can get at 
> the rest of the devices on the internal network.

Sure, but you can make the same mistake with IPv4.

As for IPv6, consider that VPNs and such connections want or need to 
know the addresses of the end-points of the connection, and NAT is 
specifically intended to make those end-points not visible.    This... 
tension... makes the whole IPv4 connection and management process much 
more complex.   Port forwarding with NAT around means playing games 
with which ports go where. of you're fanning out incoming connections.  
 With IPv6, you don't need to use different ports to fan out 
connections.  It's simpler.   Now if you do open up all inbound TCP 
port 22 — or TCP port 23, for folks still running telnet — to 
everything at your gateway-firewall, then  — once the remote users find 
the target addresses — those internal hosts are going to see login 
attempts throughout.   But nothing mandates opening up all inbound 
access, and that open access almost certainly won't be the default on 
any gateway-firewall device.



-- 
Pure Personal Opinion | HoffmanLabs LLC