[Info-vax] implementing IPv6 on the internet

[Dirk Munk]

Chris wrote:
> On 09/25/16 14:16, Dirk Munk wrote:
>> Chris wrote:
>>> On 09/25/16 08:22, Dirk Munk wrote:
>>>
>>>>
>>>> No it does not, on the contrary. I'll try to explain this once more.
>>>>
>>>
>>> I do understand that, but it offers nothing over current IPV4 practice
>>> for many applications. V6 is not a panacea for every situation, even if
>>> it can provide equivalent functionality using different methods.
>>>
>>> Security and firewalling are an interest area here and NAT based
>>> isolation of subnets can a very useful part of an overall security
>>> strategy. Here, for example, we may have a minimum of two hardware
>>> based firewall routers, each using NAT and DPI to provide filtering and
>>> isolation for web, ftp and ssh external services. All three run in
>>> isolated subnets on separate hardware interfaces. At the server end,
>>> each service is virtualised into a zone (Jail for FreeBSD) and thus,
>>> all three are isolated from each other and all other parts of the
>>> internal network. Such a configuration provides a lot of flexibility
>>> in terms of config options and all using low cost, well proven and off
>>> the shelf kit. It's also quite secure, since none of the internal subnet
>>> addresses are ever visible externally. Of course, anything can be
>>> broken given enough time and effort, but making it very difficult for
>>> a potential attacker to determine the internal network topology is a
>>> significant asset.
>>
>> If devices never have to communicate over the internet, you can give
>> them ULA IPv6 addresses only. Those are private addresses, just like
>> IPv4 private adresses.
>>
>> In fact it is recommended to use ULA addresses for communicating between
>> nodes on you own LAN.
>>
>> Since it is not even possible to use NAT to connect these devices to the
>> internet, they are even more secure.
>>
>
> All well and good, but then we have:
>
>>>
>>> Perhaps misguided, but I see potential, real or not, global visibility
>>> of the whole network to be serious security risk in its own right, but
>>> not doubt you will correct me on that :-).
>>
>> No, it is not. the whole internal network is not visible, unless your
>> routers are set up to be part of the backbone of the internet, but that
>> would be very unusual.
>>
>
> So the router becomes a single point of failure in security terms ?,
> whereas with NAT and subnetting, you can have an essentially infinite
> numbers of layers in your security model.

I don't care if you put 1000 firewalls behind the router, and as have 
have explained over and over again, you can use subnets.

Your whole mindset is "I want to stay with IPv4". You can do that, but 
you will loose that battle in the end. And in between you're going to 
spend an awful lot of effort to keep away from IPv6.

Instead you should admit to yourself that IPv6 is the future, and the 
you have to migrate to IPv6, and at the same keep older IPv4-only 
devices working.

A dual stack infrastructure will give you that possibility. You can 
start with your network design, IPv6 should be supported on your 
network. You have to make a number plan etc.

Then you can start adding IPv6 to each server, and building your 
applications with IPv6 next to IPv4. Many standard applications like 
databases already are IPv6 enabled.

As soon as two devices can use IPv6 to communicate with each other, they 
will do so.

In the end, when you don't need IPv4 any more, you can just switch it 
off, and remove the stack from your applications.

>
> Regards,
>
> Chris
>