Reviews:
 ·linode
| reply to Mersault
Re: IPv6 beta said by Mersault:I wouldn't be surprised to find that as different devices within the home need to talk to each other that they don't just start giving IPs to parts of devices. But that's what fe80::/10 is for... |
|
rev
join:2011-12-14
Toronto, ON | said by squircle:But that's what fe80::/10 is for...
»tools.ietf.org/html/rfc3879
"Deprecating Site Local Addresses"
Heard there was a vote recently (jan 2012) that was in favour of it, I read it in passing and am too lazy to get a citation, so grain of salt please.
I for one, do not want my smart shelves on a site-local address. |
|
Reviews:
·linode
| said by rev:said by squircle:But that's what fe80::/10 is for...
» tools.ietf.org/html/rfc3879"Deprecating Site Local Addresses" Heard there was a vote recently (jan 2012) that was in favour of it, I read it in passing and am too lazy to get a citation, so grain of salt please. I for one, do not want my smart shelves on a site-local address. You're right, however, RFC4291 (section 2.5.6) requires IPv6 devices to have link-local addresses. So you'd see why I'd propose that. If you have smart-home stuff (for example), there's no reason why they need globally-routable IPv6 addresses (and, really, I'd prefer my lights and security system etc. not to be globally accessible, but rather from a home automation controller with some authentication that is globally accessible). Just my opinion. |
|
|
|
| Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure. |
|
Reviews:
·linode
| Well, I'm not trying to say it's for security, but I don't really want to argue. I know it's an IPv4 mindset, but do things that will never communicate outside of the LAN really need globally-routable IP addresses?
I'll shut up now.  |
|
| reply to Mersault
said by Mersault:Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure.
Are you talking about a firewall on the router between the WAN and LAN, or individual FWs on each device? |
|
| said by theboyk:said by Mersault:Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure.
Are you talking about a firewall on the router between the WAN and LAN, or individual FWs on each device? Yes. |
|
| Yes, to both? |
|
| What's important is that you have a wall between the source of possible trouble and the destination where you don't want said trouble. One wall, two walls, where the wall is, doesn't matter.
The router is a choke point between you and the internet. So if you absolutely trust everything on your LAN side (including possibly weak WiFi) then a firewall on your router is going to be just as good as a firewall on each device. This is no different than IPv4. |
|
| I'm more thinking of work where I have 40+ computers, 5 servers, 4 printers, etc. and right now I trust my Cisco (enterprise class) security device for that wall. And I'm just trying to figure out how to deal with IPv6 where all of these devices have accessible IPs. Don't want to manage firewalls on all the computers, and some devices, that wouldnt even be possible. Just starting to look into this whole thing, so lots to learn... |
|
| Well, it's pretty simple. Block everything. Then, selectively open for only the traffic you know you want. The difference between a default-deny firewall and NAT - for security purposes - is nil. And I would argue that the firewall is superior in that it forces you to at least think about it and consider it. |
|
| Hey Folks
Great discussion here, I especially appreciated "roast's" July 2011 post on Cisco config. Where and how do I request my IPv6 user credentials, when I signed up and asked for IPv6 I was given one PPPoE user name and password (an @dslinternet.ca) and only a /64 IPv6 address. It appears I require an hsiservice account and my /56 still.
I understand this is a beta so didn't expect them to have the details - just need to know where I should be asking ?
Thanks
Steve |
|
| TSI Joel set me up, thanks, I'm good to go
Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5
Thanks
Steve |
|
brad
join:2007-09-06
Etobicoke, ON | said by scbenoit:Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5
I'd check for any newer firmware for the equipment mentioned above. |
|
| reply to scbenoit
said by scbenoit:Now to test my rtr's and cfgs - Cisco 1841 I'd be interested in hearing how this goes. What are the details on your 1841? What IOS are you running, etc.?
I'm going to need to upgrade my 1841, which I haven't been super happy with, to support IPv6 and just trying to decide if I'm going to upgrade it or go with another security device (been thinking about switching back to a SonicWALL, but that's another story). |
|
| reply to scbenoit
said by scbenoit:TSI Joel set me up, thanks, I'm good to go
Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5
Thanks
Steve
I've been pretty happy with my 1841 WIC1-ADSL setup. Very stable. Just wish I had an HWIC so I could get the higher DSL packages when they hit my area.
--
Matt |
|
 TSI GabePremium,VIP
join:2007-01-03
Chatham, ON
kudos:2 | I've looked at getting HWICs as well for at home. But they are so damn expensive. Can't justify spending 500$ per card for home use... |
|
| So, I put in a new (old) router last night (at home) - a D-Link DIR825 - and it seems to be running IPv6 quite well. It lacks an IPv6 firewall, so going to have to upgrade eventually, but for now, for testing, it's doing the trick.
Anyway - when I run the test-ipv6 tests, I get 10/10 and 10/10, but, when I test something like ipv6test.google.com, it says "no problems", but under that, it says "you don't have ipv6, but you shouldn't have problems with sites that add ipv6 support".
Can anyone explain what this means?
Thanks,
Kristin. |
|
Reviews:
 ·TekSavvy DSL
| Few things: Are you using a Mac? Latest Mac's have basically broken IPV6 support. Apple would argue it's "working" in that IPV6 works and is rock solid, but the issue is how Apple chooses IPV6 vs IPV4 for connectivity. While the standard / accepted practice (in Windows 7 / Linux for example) is to favour IPV6 when present, Apple has chosen to implement a scheme where by the first DNS record returned is the protocol used.
Second possibility: you're caching the IP from a previous lookup. Try flushing your DNS caches (router and computer) and try again. |
|
| Good to know!
At home, all Macs (desktop/portables), various iOS devices and old Windows XP box (so, I'll run a test from there and compare the results). At work, which I'll be eventually rolling IPv6 out to, is 99% Macs (40+ desktop/portables/Xserves) & iOS devices, with only a handful of Windows machines.
So, that said, if a particular website was IPv6 only, then it would still work, correct (as IPv4 wouldn't be present for that connection), but in a situation with both IPv4 and IPv6, the Mac will default to IPv4? |
|
