[Info-vax] implementing IPv6 on the internet

Dirk Munk munk at home.nl
Sat Sep 24 16:42:20 EDT 2016


Chris wrote:
> On 09/24/16 15:08, Dirk Munk wrote:
>
>>
>> Really? This will break SSL/TLS because there is a check on IP address.
>> When the DNS name and the IP address don't match the one on the
>> certificate, you will get a violation warning, and some browsers
> refuse to connect all together.
>
> Ok, so what happens when the dynamically  assigned dhcp address
> from your V4 router changes, which can happen at any time ?.

It hasn't happened with my router for months.

> Same
> problem, no connection, according to the above scenario.

When in the middle of a session the IP address changes, of course the 
session gets disconnected. However usually that doesn't happen. If it 
would happen all the time, people would have that problem right now.

> Of course
> the client ip address isn't checked by itself, why should it ?.
> However, the remote node's address is, which makes sense from the
> point of view of security against remote node impersonation. I
> see that often here, when the remote ip address of a test system
> is changed, but only have to delete the entry in ~/.ssh/known_hosts
> to start over.

Yes, and with SSL the certificate becomes in valid. In your proposed NAT 
router setup, you wanted the router to replace the IP address of the 
remote system by its own address:

"The router doesn't have to ask those questions, as it already knows
that it is on a v6 network on the WAN side, having a V6 address from
the isp. Assuming the above, the router will always use v6 for it's
dns request to the isp. The problem I can see with this is that
translating to the local V4 subnet, it may have to use a dummy v4 dns
value in it's reply to the subnet node, perhaps by stripping off some
of the bits, or a hash function, but so long as the router keeps track
of that, it will work, much as tcp connections are tracked through
state tables."

>
> As I said, i'm not designing these routers. The top of the head idea
> was just brainstorming and even if it's wrong, there are obviously
> many ways to solve the problem. You said it's impossible, which is
> clearly untrue, since translating routers already exist according
> to another poster.

Yes, he's using static routing tables, receiving traffic for IPv4 
address X, and resending that traffic to IPv6 address Y. How do you want 
to achieve that with random addresses?

> Also, isp's must be using them to translate between
> their backbone V6 feed and V4 subscribers. If that's incorrect, please
> explain why.

No they don't. There are two possibilities, the ISP is running dual 
stack (IPv4 & IPv6), or he's running carrier grade NAT, with IPv4 
traffic tunnelled trough IPv6 tunnels between the CE router and the 
backbone router. No translation what so ever.

IPv6 traffic is handled the normal way

>
> All the docs i've read suggest that V4 and V6 will coexist for many
> years and that translators will be used at isp subscribers, together
> with NAT. You don't like that, sorry, but that's reality...
>

Yes, they will coexist for some time. However, no one wants to maintain 
a dual stack network for any longer then necessary, and no one wants to 
build applications that support two stacks for any longer then necessary.

So it's my guess many companies will go for the Facebook approach, IPv6 
only on the internal network, only dual stack systems for the internet 
facing systems.

> Regards,
>
> Chris
>




More information about the Info-vax mailing list