how-to block ads
|
eyetack
join:2002-09-05
Leicester, MA
 ·BroadVoice
 ·Charter Pipeline
| Re: IPv6 Consumer Routers ? There is the issue with having consumer-grade routers, but I've been giving this some thought and here's what I've arrived at.
IPv6 space is huge. If host-based security was even remotely trustworthy or easily configurable, then there'd be no need for a gateway, as it were. It'd be possible for a provider to line up their interface with a single /64 and be done with it. DSL and Cable modems would need their CPE limits released, however.
However, it's not a good idea to have fridges and thermostats and stuff (laugh now ... but they'll be IPv6 ready someday) on an opened network, even if the address is nearly impossible to guess randomly. Therefore, you'd still need to have a router in place. This is where it gets interesting: You'd either need to do some sort of smart bridging so the devices on the internal interface can share off the /64 on the front end, or you'd need some way to assign a /64 to the back end and have the router pick up on that. Then there's routing on the DSLAM/CMTS too.
I tend to think the latter of the two described scenarios is the better theory ... but the industry hasn't quite made up its mind what it wants to do. Maybe assigning a customer their own /64 for the backend wouldn't be such a bad approach to take. We have the technology ... but making it friendly and easy to use is another ballgame entirely.
--
-A.G.- | |
|  
justbits
More fiber than ATT can handle
Premium
join:2003-01-08
Chicago, IL
 ·AT&T Midwest
| Re: IPv6 Consumer Routers ? You're ignoring some important functions of IPv6. A link-local IPv6 address can be used to isolate IPv6 packets from being routed to the Internet. All IPv6 capable network interfaces automatically configure themselves with a IPv6 link-local address by default.
An IPv6 capable thermostat does not need to listen to IPv6 router advertisements and could ignore any site-local IPv6 configuration. If the IPv6 thermostat you buy does listen to IPv6 router advertisements, well the device manufacturer is supposed to provide a way to control access to the device (firewall, authentication).
Think of it like this: a device obtaining a link-local address can talk to other hosts that are on the same LAN (think Zeroconf, link-local IPv4 addresses like 169.x.x.x). A device configured to use site-local addresses would be using an IPv4 private-network (192.168.x.x, 10.x.x.x, 172.blah) similar address.
IPv6 devices are not required to listen to or participate in router advertisements. If a device ignores router advertisements and only deals with link-local addresses, that device would effectively be isolated on your home network. Someone would need to hack into a link-local interface on your router to get at your link-local thermostat.
So, if you really have to web surf from your IPv6 compatible fridge or your toaster, go ahead and buy one that listens to router advertisments. If you think you can't trust that IPv6 toaster or IPv6 fridge, then, yes, the weakest link in your security is your toaster or fridge. And again, it's up to the network admin or the customer to know what security policy they need and what security policy the device implements.
Yes, I agree that consumer routers are deficient by not providing good GUIs for firewalling IPv6, but with IPv6, it's not a requirement that a router protect every device on the network. 2^64 or even 2^48 is a lot of address space to protect! Sure, it would be a nice added value feature to be able to easily firewall new IPv6 hosts, but I'm saying it isn't a necessity if the IPv6 capable device just doesn't obtain an Internet routable IPv6 address in the first place. | |
| | | |
|
