[Info-vax] implementing IPv6 on the internet

Sun Sep 25 08:57:22 EDT 2016

On 09/25/16 08:22, Dirk Munk wrote:

 >
 > No it does not, on the contrary. I'll try to explain this once more.
 >

I do understand that, but it offers nothing over current IPV4 practice
for many applications. V6 is not a panacea for every situation, even if
it can provide equivalent functionality using different methods.

Security and firewalling are an interest area here and NAT based
isolation of subnets can a very useful part of an overall security
strategy. Here, for example, we may have a minimum of two hardware
based firewall routers, each using NAT and DPI to provide filtering and
isolation for web, ftp and ssh external services. All three run in
isolated subnets on separate hardware interfaces. At the server end,
each service is virtualised into a zone (Jail for FreeBSD) and thus,
all three are isolated from each other and all other parts of the
internal network. Such a configuration provides a lot of flexibility
in terms of config options and all using low cost, well proven and off
the shelf kit. It's also quite secure, since none of the internal subnet
addresses are ever visible externally. Of course, anything can be
broken given enough time and effort, but making it very difficult for
a potential attacker to determine the internal network topology is a
significant asset.

 > - With IPv6 you can regulate access by using the actual global IPv6
 > address of a device, plus the port numbers. If you have two web servers
 > on you LAN they both can be accessed over port 80 from the internet, no
 > need to use another port number on the WAN port of the router because
 > port 80 has already been taken. Very clear and straightforward, no need
 > for translations, and just as secure.

Perhaps misguided, but I see potential, real or not, global visibility
of the whole network to be serious security risk in its own right, but
not doubt you will correct me on that :-).

 >
 > - No, it is rare because these days most managers think in three month
 > periods, they have no long term vision.

That's a sweeping generalisation and doesn't tally with my experience
with a variety of companies. Most small and medium sized
enterprises (probably the majority worldwide) only replace kit: a) where
it can no longer be repaired or b) where the kit is incompatible with
changing standards. That is, where they have no choice in the matter.
I expect to get 5 years use at least out of kit here and some of it is
much older. Businesses now are often cash strapped and make no
investments into new kit until the last possible moment.  Of course,
some of that is very short sighted and slows progress, but that's the
way it is. No Luddite here either and embrace new tech all the time, but
just don't find IPV6 all that absorbing at present.

 > - There was an Australian web hosting company with many organizations
 > behind one IPv4 address. One of those organizations was fraudulent, so
 > its IPv4 address was blocked, also blocking all other organizations.

It's easy to pick a single extreme example.

 >
 > - I really don't care about IPv4 and NAT, except for historical reasons.
 > NAT has nothing to offer me that IPv6 can't do in a more modern and
 > straightforward way.

Fine if that's what you think, but i'm not convinced at this stage. Let
the wealthy early adopters pay the price while all the bugs, the "unkown 
unknowns" security issues etc, get shaken out and the costs
fall.

This is an interesting debate, airing the issues increases visibility
and understanding, so perhaps not a wasted effort. Relevant to VMS
as well :-)...

Regards,

Chris