[BBLISA] Last night's IPv6 talk

Doug Hirsch dhirsch at pobox.com
Thu May 13 09:31:17 EDT 2010 

Several used copies of the book Running IPv6 were available, as of
last night, from Amazon for about $5, shipping included.

I too thank everyone for an interesting talk.

Doug

On 5/13/10, Edward Ned Harvey <bblisa3 at nedharvey.com> wrote:
> Even though I wasn't the organizer last night, I want to thank everyone who
> showed up and participated.  I found it very informative and interesting,
> and apparently so did many other people, reluctantly getting up to go home
> after 9, for the sake of needing to go home *some* time.  ;-)
>
>
>
> There were several points of interest I thought were valuable to stab a
> little deeper into:
>
>
>
> Even as ISP's roll out IPv6, they will not kill IPv4 anytime soon (not in
> the next 5 yrs.)  So for now, that's the solution to the DNS problem.
> Apple, MS, etc have plenty of time to work out the details of DNS
> deployment, DHCPv6 and so on.  Someday, you might have to pay extra to have
> IPv4 enabled on your network connection.
>
>
>
> The references that I cited were:  Running IPv6, Iljitsch van Beijnum.  It's
> good for an understanding of IPv6, but since it's like 5 yrs old, it's
> out-of-date in terms of configuring IPv6 on your system.  Fortunately, that
> doesn't matter at all, because nowadays, enabling IPv6 is trivial.
>
>
>
> I could share it with anyone if they want, up to 2 weeks, if you happen to
> have a kindle (or willing to use the mac or windows amazon kindle reader).
> That should be enough to read the whole thing for all the interesting parts.
> Also, I said it was $10.  Sorry, my mistake, it's $35 to buy.
>
>
>
> I mentioned NAT-PMP.
> http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol
>
> And I couldn't remember the name of IGD.
> http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol
>
> These are protocols that allow a NAT IPv4 device to communicate with the
> perimeter firewall, to auto-configure a hole through the firewall, to enable
> inbound traffic, to support peer-to-peer traffic.  Today, these protocols
> are not widely built-in to firewalls.  But some do support it.  Generally
> speaking, professional level security appliances don't support it, but
> hopefully that will become optional in the near future (and controllable via
> system policy), because I feel it's a very valuable thing, to enable
> peer-to-peer video conferences for example.
>
>
>
> The thing that's nice about NAT-PMP and IGD is that the client must
> explicitly request the hole opened at the perimeter firewall before it's
> allowed in.  So this is an additional layer of security, above just your
> software firewall.  Obviously, nobody feels very comfortable simply exposing
> all their internal IP's to the Internet.  So this helps facilitate
> communications without sacrificing security.
>
>
>
> Today, if you want to do p2p, the recommendation would be IPv4, with one of
> these.  Most p2p apps support it (skype, bit torrent, and many H323 or SIP
> clients, etc).  The question that remains is whether or not your perimeter
> firewall supports it.
>
>
>
> Moving forward, if you have world routable IPv6 addresses, there's no need
> for NAT and hence no need for NAT-PMP or IGD.  However .  As mentioned
> before, the only security that NAT offers you is implicitly blocking inbound
> unknown traffic.  Moving forward, the recommendation would be to still
> enable the firewall to block inbound unknown traffic.  In which case, the
> recommendation would be to use IPv6, *and* NAT-PMP or IGD, or the
> alternative du-jour.
>
>
>
> Not previously mentioned, the other security that NAT offers is internal
> network roadmap masking.  That is, somebody outside has no way of knowing
> your internal network topology or subnet ranges and possible router hops.
>
>
>
> Believe it or not, IPv6 can be NAT'd if you want to.  (Though implementation
> may be sparse or nonexistent right now.)  Many of the IETF idealists would
> scoff at that as being sacreligious and defeating the purpose, but you can
> see how slowly things move when you're trying to be ideal.  If striving for
> perfection, then critical components (DNS, DHCP) get left out by the time
> you need to use them.  So, just as you can expect people to use DHCPv6
> despite extremist objections, so you can expect some organizations to do
> IPv6 NAT sometimes despite the extremist views of individuals in the IETF.
> Specifically because they don't want to expose the internal network roadmap.
>
>
>
>
> One thing that's cool is:  If you do NAT your IPv6, you have a very large
> number of external IP's.  So you could do a one-to-one mapping of internal
> IP's to external IP's, instead of the many-to-one mapping that's generally
> used in IPv4.  Thus, you eliminate the p2p problems that IPv4 NAT has, and
> you're still able to do NAT.
>
>

More information about the bblisa mailing list