[Info-vax] implementing IPv6 on the internet

[Dirk Munk]

Chris wrote:
> On 09/25/16 08:22, Dirk Munk wrote:
>
>>
>> No it does not, on the contrary. I'll try to explain this once more.
>>
>
> I do understand that, but it offers nothing over current IPV4 practice
> for many applications. V6 is not a panacea for every situation, even if
> it can provide equivalent functionality using different methods.
>
> Security and firewalling are an interest area here and NAT based
> isolation of subnets can a very useful part of an overall security
> strategy. Here, for example, we may have a minimum of two hardware
> based firewall routers, each using NAT and DPI to provide filtering and
> isolation for web, ftp and ssh external services. All three run in
> isolated subnets on separate hardware interfaces. At the server end,
> each service is virtualised into a zone (Jail for FreeBSD) and thus,
> all three are isolated from each other and all other parts of the
> internal network. Such a configuration provides a lot of flexibility
> in terms of config options and all using low cost, well proven and off
> the shelf kit. It's also quite secure, since none of the internal subnet
> addresses are ever visible externally. Of course, anything can be
> broken given enough time and effort, but making it very difficult for
> a potential attacker to determine the internal network topology is a
> significant asset.

If devices never have to communicate over the internet, you can give 
them ULA IPv6 addresses only. Those are private addresses, just like 
IPv4 private adresses.

In fact it is recommended to use ULA addresses for communicating between 
nodes on you own LAN.

Since it is not even possible to use NAT to connect these devices to the 
internet, they are even more secure.

>
>
>> - With IPv6 you can regulate access by using the actual global IPv6
>> address of a device, plus the port numbers. If you have two web servers
>> on you LAN they both can be accessed over port 80 from the internet, no
>> need to use another port number on the WAN port of the router because
>> port 80 has already been taken. Very clear and straightforward, no need
>> for translations, and just as secure.
>
> Perhaps misguided, but I see potential, real or not, global visibility
> of the whole network to be serious security risk in its own right, but
> not doubt you will correct me on that :-).

No, it is not. the whole internal network is not visible, unless your 
routers are set up to be part of the backbone of the internet, but that 
would be very unusual.

>
>>
>> - No, it is rare because these days most managers think in three month
>> periods, they have no long term vision.
>
> That's a sweeping generalisation and doesn't tally with my experience
> with a variety of companies. Most small and medium sized
> enterprises (probably the majority worldwide) only replace kit: a) where
> it can no longer be repaired or b) where the kit is incompatible with
> changing standards. That is, where they have no choice in the matter.
> I expect to get 5 years use at least out of kit here and some of it is
> much older. Businesses now are often cash strapped and make no
> investments into new kit until the last possible moment.  Of course,
> some of that is very short sighted and slows progress, but that's the
> way it is. No Luddite here either and embrace new tech all the time, but
> just don't find IPV6 all that absorbing at present.
>
>> - There was an Australian web hosting company with many organizations
>> behind one IPv4 address. One of those organizations was fraudulent, so
>> its IPv4 address was blocked, also blocking all other organizations.
>
> It's easy to pick a single extreme example.

Not extreme at all. Look at Carrier Grade NAT, one person misbehaves, 
his IPv4 address gets blocked, and hundreds of other users are blocked 
as well.

>
>>
>> - I really don't care about IPv4 and NAT, except for historical reasons.
>> NAT has nothing to offer me that IPv6 can't do in a more modern and
>> straightforward way.
>
> Fine if that's what you think, but i'm not convinced at this stage. Let
> the wealthy early adopters pay the price while all the bugs, the "unkown
> unknowns" security issues etc, get shaken out and the costs
> fall.
>
> This is an interesting debate, airing the issues increases visibility
> and understanding, so perhaps not a wasted effort. Relevant to VMS
> as well :-)...
>
> Regards,
>
> Chris
>