[Info-vax] implementing IPv6 on the internet
Jan-Erik Soderholm
jan-erik.soderholm at telia.com
Wed Sep 21 17:06:25 EDT 2016
Den 2016-09-21 kl. 22:44, skrev David Froble:
> Dirk Munk wrote:
>> David Froble wrote:
>>> Dirk Munk wrote:
>>>> Chris wrote:
>>>>> On 09/21/16 12:00, Richard Levitte wrote:
>>>>>
>>>>>>
>>>>>> No. NAT was never designed for network security, but
>>>>> can be used as a cheap'n'dirty piece of shit firewall.
>>>>>>
>>>>>> With IPv6, you'll have to do firewalling for real.
>>>>>>
>>>>>> Cheers,
>>>>>> Richard
>>>>>
>>>>> Just another opinion and whatever it was originally designed for,
>>>>> it's turned out to be quite a sound and cost effective solution
>>>>> to the problem.
>>>>>
>>>>> With IPV6, just what is meant by "firewalling for real" ?...
>>>>>
>>>>> Regards,
>>>>>
>>>>> Chris
>>>>>
>>>>>
>>>>
>>>> I've explained that already. By default IPv6 access from the internet
>>>> is blocked on a CE router.
>>>>
>>>> If you want to allow access to an IPv6 device on your LAN, you have to
>>>> configure on your router access to that IPv6 address *and* to the
>>>> appropriate ports.
>>>>
>>>> With IPv4 you have to route a port number on the WAN port of your
>>>> router to an IPv4 address and port on the LAN. (port forwarding)
>>>>
>>>> No real difference.
>>>
>>> I'm not anti-IPv6, just as I'm not anti-quadword. But from a practical
>>> perspective, I have to ask, how many people, organizations, etc; behind
>>> a IPv4 NAT router really need the extended address space. Right now, as
>>> you state, you can forward any ports to any device on today's NAT
>>> routers. So, what's the rush, for this issue anyway, for IPv6?
>>
>> There are no more IPv4 addresses available on the internet. The internet
>> can only expand with IPv6. If you want to connect to such a server, you
>> will need IPv6.
>
> You avoid the question. Yes, maybe IPv6 to get to my NAT router. But
> inside, I cannot imagine using all the address space available to me. How
> many cannot say that?
>
>> You don't want tu use dual stack for a long time, so the sooner we can
>> say goodbye to IPv4, the better.
>
> Sounds like we're into the chores ....
>
>>> Now, where I do see a problem, and IPv6 will not address it if I
>>> understand it correctly, is that if some device can be accessed from
>>> outside, and it's not so secure, it's inside your router and can get at
>>> the rest of the devices on the internal network.
>>
>> No, you can't get to the rest of the devices. You can only get to the
>> devices that you have enabled on your router. Besides that, there are
>> more then 4 billion x 4 billion possible addresses on one subnet.
>
> Bullshit! If someone can get to one device, and somehow from that device
> get to other nodes on the in-house network, that is a problem.
I guess that you with "get to" imply "log in to and get a command shell".
I guess that Dirk ment more like "reach a web server" or similar.
You are simply talkning around each other.
>
> You seem to do a good job at avoiding topics that don't fit what you're
> trying to push ....
>
More information about the Info-vax
mailing list