[Info-vax] implementing IPv6 on the internet

Chris xxx.syseng.yyy at gfsys.co.uk
Sun Sep 25 10:41:29 EDT 2016 

On 09/25/16 14:16, Dirk Munk wrote:
> Chris wrote:
>> On 09/25/16 08:22, Dirk Munk wrote:
>>
>>>
>>> No it does not, on the contrary. I'll try to explain this once more.
>>>
>>
>> I do understand that, but it offers nothing over current IPV4 practice
>> for many applications. V6 is not a panacea for every situation, even if
>> it can provide equivalent functionality using different methods.
>>
>> Security and firewalling are an interest area here and NAT based
>> isolation of subnets can a very useful part of an overall security
>> strategy. Here, for example, we may have a minimum of two hardware
>> based firewall routers, each using NAT and DPI to provide filtering and
>> isolation for web, ftp and ssh external services. All three run in
>> isolated subnets on separate hardware interfaces. At the server end,
>> each service is virtualised into a zone (Jail for FreeBSD) and thus,
>> all three are isolated from each other and all other parts of the
>> internal network. Such a configuration provides a lot of flexibility
>> in terms of config options and all using low cost, well proven and off
>> the shelf kit. It's also quite secure, since none of the internal subnet
>> addresses are ever visible externally. Of course, anything can be
>> broken given enough time and effort, but making it very difficult for
>> a potential attacker to determine the internal network topology is a
>> significant asset.
>
> If devices never have to communicate over the internet, you can give
> them ULA IPv6 addresses only. Those are private addresses, just like
> IPv4 private adresses.
>
> In fact it is recommended to use ULA addresses for communicating between
> nodes on you own LAN.
>
> Since it is not even possible to use NAT to connect these devices to the
> internet, they are even more secure.
>

All well and good, but then we have:

>>
>> Perhaps misguided, but I see potential, real or not, global visibility
>> of the whole network to be serious security risk in its own right, but
>> not doubt you will correct me on that :-).
>
> No, it is not. the whole internal network is not visible, unless your
> routers are set up to be part of the backbone of the internet, but that
> would be very unusual.
>

So the router becomes a single point of failure in security terms ?,
whereas with NAT and subnetting, you can have an essentially infinite
numbers of layers in your security model.

Regards,

Chris

More information about the Info-vax mailing list