[Info-vax] implementing IPv6 on the internet
David Froble
davef at tsoft-inc.com
Wed Sep 21 16:44:31 EDT 2016
Dirk Munk wrote:
> David Froble wrote:
>> Dirk Munk wrote:
>>> Chris wrote:
>>>> On 09/21/16 12:00, Richard Levitte wrote:
>>>>
>>>>>
>>>>> No. NAT was never designed for network security, but
>>>> can be used as a cheap'n'dirty piece of shit firewall.
>>>>>
>>>>> With IPv6, you'll have to do firewalling for real.
>>>>>
>>>>> Cheers,
>>>>> Richard
>>>>
>>>> Just another opinion and whatever it was originally designed for,
>>>> it's turned out to be quite a sound and cost effective solution
>>>> to the problem.
>>>>
>>>> With IPV6, just what is meant by "firewalling for real" ?...
>>>>
>>>> Regards,
>>>>
>>>> Chris
>>>>
>>>>
>>>
>>> I've explained that already. By default IPv6 access from the internet
>>> is blocked on a CE router.
>>>
>>> If you want to allow access to an IPv6 device on your LAN, you have to
>>> configure on your router access to that IPv6 address *and* to the
>>> appropriate ports.
>>>
>>> With IPv4 you have to route a port number on the WAN port of your
>>> router to an IPv4 address and port on the LAN. (port forwarding)
>>>
>>> No real difference.
>>
>> I'm not anti-IPv6, just as I'm not anti-quadword. But from a practical
>> perspective, I have to ask, how many people, organizations, etc; behind
>> a IPv4 NAT router really need the extended address space. Right now, as
>> you state, you can forward any ports to any device on today's NAT
>> routers. So, what's the rush, for this issue anyway, for IPv6?
>
> There are no more IPv4 addresses available on the internet. The internet
> can only expand with IPv6. If you want to connect to such a server, you
> will need IPv6.
You avoid the question. Yes, maybe IPv6 to get to my NAT router. But inside, I
cannot imagine using all the address space available to me. How many cannot say
that?
> You don't want tu use dual stack for a long time, so the sooner we can
> say goodbye to IPv4, the better.
Sounds like we're into the chores ....
>> Now, where I do see a problem, and IPv6 will not address it if I
>> understand it correctly, is that if some device can be accessed from
>> outside, and it's not so secure, it's inside your router and can get at
>> the rest of the devices on the internal network.
>
> No, you can't get to the rest of the devices. You can only get to the
> devices that you have enabled on your router. Besides that, there are
> more then 4 billion x 4 billion possible addresses on one subnet.
Bullshit! If someone can get to one device, and somehow from that device get to
other nodes on the in-house network, that is a problem.
You seem to do a good job at avoiding topics that don't fit what you're trying
to push ....
More information about the Info-vax
mailing list