[Info-vax] implementing IPv6 on the internet

[David Froble]

Dirk Munk wrote:
> David Froble wrote:
>> Dirk Munk wrote:
>>> Chris wrote:
>>>> On 09/21/16 12:00, Richard Levitte wrote:
>>>>
>>>>>
>>>>> No.  NAT was never designed for network security, but
>>>> can be used as a cheap'n'dirty piece of shit firewall.
>>>>>
>>>>> With IPv6, you'll have to do firewalling for real.
>>>>>
>>>>> Cheers,
>>>>> Richard
>>>>
>>>> Just another opinion and whatever it was originally designed for,
>>>> it's turned out to be quite a sound and cost effective solution
>>>> to the problem.
>>>>
>>>> With IPV6, just what is meant by "firewalling for real" ?...
>>>>
>>>> Regards,
>>>>
>>>> Chris
>>>>
>>>>
>>>
>>> I've explained that already. By default IPv6 access from the internet
>>> is blocked on a CE router.
>>>
>>> If you want to allow access to an IPv6 device on your LAN, you have to
>>> configure on your router access to that IPv6 address *and* to the
>>> appropriate ports.
>>>
>>> With IPv4 you have to route a port number on the WAN port of your
>>> router to an IPv4 address and port on the LAN. (port forwarding)
>>>
>>> No real difference.
>>
>> I'm not anti-IPv6, just as I'm not anti-quadword.  But from a practical
>> perspective, I have to ask, how many people, organizations, etc; behind
>> a IPv4 NAT router really need the extended address space.  Right now, as
>> you state, you can forward any ports to any device on today's NAT
>> routers.  So, what's the rush, for this issue anyway, for IPv6?
> 
> There are no more IPv4 addresses available on the internet. The internet 
> can only expand with IPv6. If you want to connect to such a server, you 
> will need IPv6.

You avoid the question.  Yes, maybe IPv6 to get to my NAT router.  But inside, I 
cannot imagine using all the address space available to me.  How many cannot say 
that?

> You don't want tu use dual stack for a long time, so the sooner we can 
> say goodbye to IPv4, the better.

Sounds like we're into the chores ....

>> Now, where I do see a problem, and IPv6 will not address it if I
>> understand it correctly, is that if some device can be accessed from
>> outside, and it's not so secure, it's inside your router and can get at
>> the rest of the devices on the internal network.
> 
> No, you can't get to the rest of the devices. You can only get to the 
> devices that you have enabled on your router. Besides that, there are 
> more then 4 billion x 4 billion possible addresses on one subnet.

Bullshit!  If someone can get to one device, and somehow from that device get to 
other nodes on the in-house network, that is a problem.

You seem to do a good job at avoiding topics that don't fit what you're trying 
to push ....