[BBLISA] Last night's IPv6 talk

Edward Ned Harvey bblisa3 at nedharvey.com
Thu May 13 08:25:05 EDT 2010 

Even though I wasn't the organizer last night, I want to thank everyone who
showed up and participated.  I found it very informative and interesting,
and apparently so did many other people, reluctantly getting up to go home
after 9, for the sake of needing to go home *some* time.  ;-)

 

There were several points of interest I thought were valuable to stab a
little deeper into:

 

Even as ISP's roll out IPv6, they will not kill IPv4 anytime soon (not in
the next 5 yrs.)  So for now, that's the solution to the DNS problem.
Apple, MS, etc have plenty of time to work out the details of DNS
deployment, DHCPv6 and so on.  Someday, you might have to pay extra to have
IPv4 enabled on your network connection.

 

The references that I cited were:  Running IPv6, Iljitsch van Beijnum.  It's
good for an understanding of IPv6, but since it's like 5 yrs old, it's
out-of-date in terms of configuring IPv6 on your system.  Fortunately, that
doesn't matter at all, because nowadays, enabling IPv6 is trivial.

 

I could share it with anyone if they want, up to 2 weeks, if you happen to
have a kindle (or willing to use the mac or windows amazon kindle reader).
That should be enough to read the whole thing for all the interesting parts.
Also, I said it was $10.  Sorry, my mistake, it's $35 to buy.

 

I mentioned NAT-PMP.
http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol

And I couldn't remember the name of IGD.
http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol

These are protocols that allow a NAT IPv4 device to communicate with the
perimeter firewall, to auto-configure a hole through the firewall, to enable
inbound traffic, to support peer-to-peer traffic.  Today, these protocols
are not widely built-in to firewalls.  But some do support it.  Generally
speaking, professional level security appliances don't support it, but
hopefully that will become optional in the near future (and controllable via
system policy), because I feel it's a very valuable thing, to enable
peer-to-peer video conferences for example.

 

The thing that's nice about NAT-PMP and IGD is that the client must
explicitly request the hole opened at the perimeter firewall before it's
allowed in.  So this is an additional layer of security, above just your
software firewall.  Obviously, nobody feels very comfortable simply exposing
all their internal IP's to the Internet.  So this helps facilitate
communications without sacrificing security.

 

Today, if you want to do p2p, the recommendation would be IPv4, with one of
these.  Most p2p apps support it (skype, bit torrent, and many H323 or SIP
clients, etc).  The question that remains is whether or not your perimeter
firewall supports it.

 

Moving forward, if you have world routable IPv6 addresses, there's no need
for NAT and hence no need for NAT-PMP or IGD.  However .  As mentioned
before, the only security that NAT offers you is implicitly blocking inbound
unknown traffic.  Moving forward, the recommendation would be to still
enable the firewall to block inbound unknown traffic.  In which case, the
recommendation would be to use IPv6, *and* NAT-PMP or IGD, or the
alternative du-jour.

 

Not previously mentioned, the other security that NAT offers is internal
network roadmap masking.  That is, somebody outside has no way of knowing
your internal network topology or subnet ranges and possible router hops.  

 

Believe it or not, IPv6 can be NAT'd if you want to.  (Though implementation
may be sparse or nonexistent right now.)  Many of the IETF idealists would
scoff at that as being sacreligious and defeating the purpose, but you can
see how slowly things move when you're trying to be ideal.  If striving for
perfection, then critical components (DNS, DHCP) get left out by the time
you need to use them.  So, just as you can expect people to use DHCPv6
despite extremist objections, so you can expect some organizations to do
IPv6 NAT sometimes despite the extremist views of individuals in the IETF.
Specifically because they don't want to expose the internal network roadmap.


 

One thing that's cool is:  If you do NAT your IPv6, you have a very large
number of external IP's.  So you could do a one-to-one mapping of internal
IP's to external IP's, instead of the many-to-one mapping that's generally
used in IPv4.  Thus, you eliminate the p2p problems that IPv4 NAT has, and
you're still able to do NAT.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bblisa.org/pipermail/bblisa/attachments/20100513/05e324e0/attachment.htm

More information about the bblisa mailing list