[Info-vax] implementing IPv6 on the internet

Wed Sep 21 17:43:42 EDT 2016

David Froble wrote:
> Dirk Munk wrote:
>> David Froble wrote:
>>> Dirk Munk wrote:
>>>> Chris wrote:
>>>>> On 09/21/16 12:00, Richard Levitte wrote:
>>>>>
>>>>>>
>>>>>> No.  NAT was never designed for network security, but
>>>>> can be used as a cheap'n'dirty piece of shit firewall.
>>>>>>
>>>>>> With IPv6, you'll have to do firewalling for real.
>>>>>>
>>>>>> Cheers,
>>>>>> Richard
>>>>>
>>>>> Just another opinion and whatever it was originally designed for,
>>>>> it's turned out to be quite a sound and cost effective solution
>>>>> to the problem.
>>>>>
>>>>> With IPV6, just what is meant by "firewalling for real" ?...
>>>>>
>>>>> Regards,
>>>>>
>>>>> Chris
>>>>>
>>>>>
>>>>
>>>> I've explained that already. By default IPv6 access from the internet
>>>> is blocked on a CE router.
>>>>
>>>> If you want to allow access to an IPv6 device on your LAN, you have to
>>>> configure on your router access to that IPv6 address *and* to the
>>>> appropriate ports.
>>>>
>>>> With IPv4 you have to route a port number on the WAN port of your
>>>> router to an IPv4 address and port on the LAN. (port forwarding)
>>>>
>>>> No real difference.
>>>
>>> I'm not anti-IPv6, just as I'm not anti-quadword.  But from a practical
>>> perspective, I have to ask, how many people, organizations, etc; behind
>>> a IPv4 NAT router really need the extended address space.  Right now, as
>>> you state, you can forward any ports to any device on today's NAT
>>> routers.  So, what's the rush, for this issue anyway, for IPv6?
>>
>> There are no more IPv4 addresses available on the internet. The
>> internet can only expand with IPv6. If you want to connect to such a
>> server, you will need IPv6.
>
> You avoid the question.  Yes, maybe IPv6 to get to my NAT router.  But
> inside, I cannot imagine using all the address space available to me.
> How many cannot say that?

Everybody, if you use the 10.0.0.0 private address range. But that's not 
the point. You seem to assume that you can easily route messages from 
IPv6 (WAN) to IPv4 (LAN). That is not the case.

>
>> You don't want tu use dual stack for a long time, so the sooner we can
>> say goodbye to IPv4, the better.
>
> Sounds like we're into the chores ....
>
>>> Now, where I do see a problem, and IPv6 will not address it if I
>>> understand it correctly, is that if some device can be accessed from
>>> outside, and it's not so secure, it's inside your router and can get at
>>> the rest of the devices on the internal network.
>>
>> No, you can't get to the rest of the devices. You can only get to the
>> devices that you have enabled on your router. Besides that, there are
>> more then 4 billion x 4 billion possible addresses on one subnet.
>
> Bullshit!  If someone can get to one device, and somehow from that
> device get to other nodes on the in-house network, that is a problem.

Like Jan-Erik wrote, I don't mean a system with interactive login. I 
means systems like web servers, a NAS etc. Furthermore, it is no 
different with IPv4.

>
> You seem to do a good job at avoiding topics that don't fit what you're
> trying to push ....
>