AVonGauss Premium Member join:2007-11-01 Boynton Beach, FL |
to magamiako
Re: [IPv6] Benefits of IPv6said by magamiako:This is assuming you want to statically assign every single device.
The mechanics have been implemented for years. There is no need to statically assign anything. said by magamiako:Implementing security in those devices *already exists*. Cisco and Juniper have had IPv6-capable devices for many years. I power my network with a Juniper SSG5, and before that I had a NetScreen 5GT (EOL'd in 2009) that had full IPv6 security and capabilities. This would be a typical home gateway? I can run down to my local Walmart, Best Buy or Office Depot and pick one up? said by magamiako:In fact, implementing proper security is easier than implementing NAT solutions. Agreed, but you don't need a /56 in an IPv6 world to implement proper security either. You're wanting to tinker, and that's okay, but you don't need it for the tinkering you want to do. said by magamiako:Regardless, this conversation is pointless to move forward until you read up on CCNA and JNCIA-Security certs. Before throwing rocks, you may want to read back on some of your posts in this thread. said by magamiako:I'm not reinventing the wheel here. The knowledge I'm explaining is *very* basic network design and management, and it's already been implemented. There is no real fundamental difference between v4 and v6 network design from a routing perspective EXCEPT the reduction in the usage of NAT technologies. I will generally agree to this, but let's bring it back to the discussion at hand which was the differences in deployment of IPv4 vs IPv6 by an ISP to a residential subscriber or even a small business (less than 50 employees). You were saying you needed a larger allocation, such as a /56 presumably to do certain things and when asked such as what we started to have a bit of a discussion. |
|
AVonGauss |
to voiptalk
Interesting, thanks for the link. Have any vendors shown interest or indications that they will provide an implementation that you are aware of? |
|
|
to AVonGauss
Keep in mind the term "small business" can include 250 employees. Though most people typically see a "small business" as 25/50 employees, depending on what they do.
Even then you may need multiple networks. Right now it's implemented with internal addressing and NAT. That's nearly impossible/difficult/highly discouraged with IPv6.
Not the least of which is say, having the ability to have "public wifi" at your place of business.
Because of that, you need multiple networks--period. You cannot do these things reasonably on a single /64. |
|
MikroTik RB750G Cisco DPC3941
|
to AVonGauss
The only place I've seen reference to IPv6 Simple Security being implemented is in the just announced D-Link DHP-1565 router's user manual. See page 82: » ftp:// ftp.dlink.cz/dhp/dhp-156 ··· 1003.pdf |
|
aefstoggaflmOpen Source Fan Premium Member join:2002-03-04 Bethlehem, PA Linksys E4200 ARRIS SB6141
|
to AVonGauss
said by AVonGauss:said by magamiako:Implementing security in those devices *already exists*. Cisco and Juniper have had IPv6-capable devices for many years. I power my network with a Juniper SSG5, and before that I had a NetScreen 5GT (EOL'd in 2009) that had full IPv6 security and capabilities. This would be a typical home gateway? I can run down to my local Walmart, Best Buy or Office Depot and pick one up? Great question. I believe the answer to that question is a yes. |
|
AVonGauss Premium Member join:2007-11-01 Boynton Beach, FL
1 recommendation |
said by aefstoggaflm:Great question.
I believe the answer to that question is a yes. You must have better equipped local stores than I do here. What I was trying to point out is while consumer targeted devices are starting to pick up IPv6 support, their level of support especially in the area of being a security device is basic or non-existent at this point. We can use iptables to get the job done, but I don't want to explain that to my next door neighbor. |
|
1 recommendation |
Avon:
Allow me to ask you this question. What do you consider a 'security' device?
Nearly all home gateways have built-in SPI firewalls and some devices even have built-in antivirus/Layer 7 support.
Just because an *EXISTING* home gateway *MAY NOT* have support for SPI and instead was relying on NAT tables for security *DOES NOT* mean that new devices won't come out that implement an SPI firewall. Nor does it preclude them from being added later to the system's firmware.
For that matter, configuration pages between the two can be made to look *identical*. And to your average home user who has NO experience working with SMB level hardware will still be able to do the same configuration they do now with NAT, with the exception of they will NOW be able to say "I want to run multiple xboxes in my house with Xbox Live and not have weird issues with having to forward ports." |
|
AVonGauss Premium Member join:2007-11-01 Boynton Beach, FL
1 recommendation |
AVonGauss or even Aaron - Avon is just wrong. said by magamiako:Allow me to ask you this question. What do you consider a 'security' device? That's a great question, for this discussion, the same type of "comfort level" that people get from being behind a NAT based device. I know, that's a horrible definition, but most people look at their gateway as the first line of defense and that's not likely to change in an IPv6 world. And consumers or small businesses (generally, under 50 employees and no dedicated IT resources) generally don't want to have to think about it or even really configure it. said by magamiako:Nearly all home gateways have built-in SPI firewalls and some devices even have built-in antivirus/Layer 7 support. For IPv4. said by magamiako:Just because an *EXISTING* home gateway *MAY NOT* have support for SPI and instead was relying on NAT tables for security *DOES NOT* mean that new devices won't come out that implement an SPI firewall. Nor does it preclude them from being added later to the system's firmware. Many provide both services, for IPv4. |
|
1 edit |
And you really think large vendors are going to release devices without built-in firewalls for IPv6?
At this stage in the game there's little difference between a 'firewall' and a gateway device, for all intents and purposes.
There are routers without firewalls, but few firewalls without routers. You can put many firewalls in transparent operation but this is not default operation for any device I've worked with (includes ASA series Cisco and SRX/SSG gateways by Juniper).
Therefore, it's solidly reasonable to assume that pretty much every major vendor of home networking gear (Cisco, D-Link, Netgear) will provide some form of firewalling for IPv6 for at least a few of their existing devices with far more improved performance and support in newer devices.
* Also includes Sonicwall TZ-series services gateways. |
|
AVonGauss Premium Member join:2007-11-01 Boynton Beach, FL
1 recommendation |
said by magamiako:And you really think large vendors are going to release devices without built-in firewalls for IPv6? They already have, I'm running one at home myself, made by D-Link. said by magamiako:At this stage in the game there's little difference between a 'firewall' and a gateway device, for all intents and purposes. Agreed. said by magamiako:There are routers without firewalls, but few firewalls without routers. You can put many firewalls in transparent operation but this is not default operation for any device I've worked with (includes ASA series Cisco and SRX/SSG gateways by Juniper). I still can't find those at my local store. said by magamiako:Therefore, it's solidly reasonable to assume that pretty much every major vendor of home networking gear (Cisco, D-Link, Netgear) will provide some form of firewalling for IPv6 for at least a few of their existing devices with far more improved performance and support in newer devices. I agree newer products will incorporate better security mechanisms for IPv6 in the future, even if the subscriber only has a /64 allocation. Mainstream suppliers, imho, are more likely to release new product revisions than releasing free firmware upgrades that provide new features for existing products. |
|
|
I still don't quite get what you mean by 'security' mechanisms for IPv6?
The only thing that at its core is really needed is a decision on whether or not to forward a packet across the network. This can be handled in many different ways, the most basic is merely checking a policy/rule/state table to determine if the packet matches certain criteria and should be forwarded.
Anything else (IDS/IPS/Layer 7/Martian/Bogon/Enforcing standards operation/Network Scanning/Flood Protection) is pretty much extra and I expect will vary quite significantly depending on the target audience of the device. |
|
AVonGauss Premium Member join:2007-11-01 Boynton Beach, FL |
said by magamiako:I still don't quite get what you mean by 'security' mechanisms for IPv6? One of the few benefits of our IPv4 NAT world with single IP allocation is most home gateways reject or drop packets that they are not expecting or are specifically configured to forward. The trick is not how to mechanically implement security, but rather how to present and implement it in a consumer friendly manner. |
|
|
|
The same way that it's done now? a web interface?
How would it be any different?
You have a default deny rule that you don't need to modify/expose via a web interface, and you give a web interface similar to the existing NAT interfaces today?
You expand the "DMZ" interface that most people have access to in their web gateways to be replaced with "Forward All traffic to $IP"; which can now be done with multiple IPs.
People already need to "static" their addresses to make these "DMZ" mechanisms work, and similar behavior can be done with IPv6.
At the end of the day, web interfaces can change VERY minimally to the end user. |
|
magamiako |
The big trick is handling SLAAC/and Privacy Extensions.
I've handled this in my network in a manner where I merely allow the port to the "entire network" regardless of the resulting destination address.
In this manner, any temporary address that any of my PCs generate will be able to solicit incoming connections on a "catch all" firewall rule. |
|
NetDog Premium Member join:2002-03-04 Hollywood, FL
1 recommendation |
to Wayne99021
Can everyone agree NAT is not a "security" mechanism/firewall/feature/function? Yes it does act a little like a security function, but in truth it is a translation function and not a security function. I really hate seeing new users and younger people thinking NAT is a security function and thinking that is all they need. Then they look at IPv6 and say but where is the security? I have been working in the IPv6 area for sometime now and the NAT/Security issue is everyone's number one question. The internet has alot of free stuff out there for people to read and learn about IPv6.. Here are some resources for everyone. » getipv6.info/index.php/E ··· out_IPv6Also if your in Denver the 2012 North American IPv6 Summit, is April 9-11, 2012.. » www.rmv6tf.org/ |
|
|
It's very difficult getting this point across to people I'm afraid...which is the core of most of the argument I'm receiving from people when trying to explain the issue. |
|
AVonGauss Premium Member join:2007-11-01 Boynton Beach, FL
1 recommendation |
to NetDog
said by NetDog:Can everyone agree NAT is not a "security" mechanism/firewall/feature/function? Yes it does act a little like a security function, but in truth it is a translation function and not a security function. I really hate seeing new users and younger people thinking NAT is a security function and thinking that is all they need. Then they look at IPv6 and say but where is the security? To most technically inclined people, no, it is not. However, for the average user it acts and quacks like a firewall, hence its a security mechanism. Any consumer level gateway that I've looked at, the IPv6 side does not provide a comparable security mechanism so its up to the individual devices. Not to leave out the fact you may want some devices exposed, while others you do not regardless of their own capabilities. |
|
|
Which consumer-level devices have you looked at with IPv6 interfaces?
If you're talking PFSense, it's been behind on IPv6 support for a long time. But you can accomplish this with utilizing 'ip6tables' which has the same rules as IPtables(v4). The only difference is that instead of 2 rules (one for prerouting/nat, the other for forwarding); you can now utilize only a forwarding rule to decide whether to allow the traffic through.
So in essence, it's easier to manage. |
|
AVonGauss Premium Member join:2007-11-01 Boynton Beach, FL |
AVonGauss
Premium Member
2012-Feb-27 11:54 am
said by magamiako:Which consumer-level devices have you looked at with IPv6 interfaces?
If you're talking PFSense, it's been behind on IPv6 support for a long time. But you can accomplish this with utilizing 'ip6tables' which has the same rules as IPtables(v4). The only difference is that instead of 2 rules (one for prerouting/nat, the other for forwarding); you can now utilize only a forwarding rule to decide whether to allow the traffic through.
So in essence, it's easier to manage. No, the average consumer is not running a device or computer using pfSense nor do they have the knowledge or desire to learn iptables. I've said it many times already on this thread, when I say consumer level device I'm talking about the one's you can find at Walmart, Best Buy, Office Depot or your other favorite local store. |
|
|
And which of these has an IPv6 configuration interface? I have yet to see any and I regularly set up Linksys E-series devices for friends and family.
They might not have IPv6 configuration right now, but that doesn't mean as v6 becomes prevalent there won't be a firmware update which enables these GUIs.
You're making statements based on things that don't yet exist. I'm making statements on utilities and hardware that already exist and I've put into production use. |
|
AVonGauss Premium Member join:2007-11-01 Boynton Beach, FL |
AVonGauss
Premium Member
2012-Feb-27 12:05 pm
said by magamiako:And which of these has an IPv6 configuration interface? I have yet to see any and I regularly set up Linksys E-series devices for friends and family. A quick Google search returns... » support.netgear.com/app/ ··· -routers» en.wikipedia.org/wiki/Co ··· _routers» www.sixxs.net/wiki/Routers... etc. |
|
NetDog Premium Member join:2002-03-04 Hollywood, FL |
to AVonGauss
said by AVonGauss:Not to leave out the fact you may want some devices exposed, while others you do not regardless of their own capabilities. I can't agree with you more.. I have this case going on in my house. I have 10 Cisco phones using callMGR express via IPv6. These phones are on a vlan other then my main and they are using FC00::/64 network. I am not an average user, I know. » en.wikipedia.org/wiki/Un ··· _address |
|
|
to AVonGauss
Some of those devices have no exposure to IPv6 in their GUIs. Some require extra utilities such as DD-WRT or OpenWRT.
Again, point out to me how or where a user would get confused over IPv6 configuration in their device that has nothing to do with the current tunnel fiasco that we deal with now? Assuming IPv6 native on the outside and inside interfaces?
Right now things are a bit confusing due to transition technologies. But really all it comes down to is the interface... |
|
magamiako |
to NetDog
said by NetDog:said by AVonGauss:Not to leave out the fact you may want some devices exposed, while others you do not regardless of their own capabilities. I can't agree with you more.. I have this case going on in my house. I have 10 Cisco phones using callMGR express via IPv6. These phones are on a vlan other then my main and they are using FC00::/64 network. I am not an average user, I know. » en.wikipedia.org/wiki/Un ··· _address How's a simultaneous GUA/ULA deployment work out? I know there's some RFCs out there that try to enforce preference of ULA to GUA but I could see it being a problem in devices that don't currently implement that. Have you had any issues or concerns other than the fact that you'll have both GUA/ULA in DNS as well as dual policies? |
|
NetDog Premium Member join:2002-03-04 Hollywood, FL |
NetDog
Premium Member
2012-Feb-28 8:46 pm
On my home network I am using GUA or ULA per VLAN but not both. So I am not doing simultaneous GUA/ULA deployment at my house. But there is concern about having both on the same network yes. How does an app know to use the ULA vers the GUA.
Really the only spot I am using ULA is on my voice network, so no GUA is needed. But this works really well for me.
For the people that don't already know: Unique Local Address (ULA) Global Unicast Address (GUA) |
|
1 edit |
I believe there's an RFC on this but I can't find it...still searching. Found it: » tools.ietf.org/html/draf ··· evise-05 |
|
1 recommendation |
to ctgreybeard
said by ctgreybeard:said by AVonGauss:said by Mike Wolf:I know it supports 6rd tunnel manual and automatic because thats what I'm using with HE, and I know it supports IPv6 automatic. Are you that's not 6in4 instead of 6rd? My E3200 only supports 6rd manually configured or automatic. IPv6 Automatic mode doesn't connect to Comcast's network so I take that to mean it doesn't support 6in4. There is supposed to be a firmware update in March so maybe that will then allow 6in4. Well March came and went without any updates or changes and even the new EA line of routers have the same limited IPv6 settings. |
|
RR ConductorRidin' the rails Premium Member join:2002-04-02 Redwood Valley, CA |
This is what my Asus RT-N66U has for IPv6-
Disable Native Native with DHCP Tunnel 6to4 Tunnel 6in4 Tunnel 6rd
I'm running a 6in4 Tunnel via Hurricane Electric. |
actions · 2012-Apr-10 4:42 am · (locked) |
1 edit |
I was referring to the Cisco Linksys E and EA routers. |
|
|
to AVonGauss
FYI - An item on the FierceTelecom site today about IPv6 security issues: IPv6 security a growing concern as Blue Coat, Akamai note malware, exploitsBy Samantha Bookman, FierceTelecom - April 11, 2012 » www.fiercetelecom.com/st ··· 12-04-11 |
|