dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
9551
AVonGauss
Premium Member
join:2007-11-01
Boynton Beach, FL

AVonGauss to magamiako

Premium Member

to magamiako

Re: [IPv6] Benefits of IPv6

said by magamiako:

This is assuming you want to statically assign every single device.

The mechanics have been implemented for years.

There is no need to statically assign anything.
said by magamiako:

Implementing security in those devices *already exists*. Cisco and Juniper have had IPv6-capable devices for many years. I power my network with a Juniper SSG5, and before that I had a NetScreen 5GT (EOL'd in 2009) that had full IPv6 security and capabilities.

This would be a typical home gateway? I can run down to my local Walmart, Best Buy or Office Depot and pick one up?
said by magamiako:

In fact, implementing proper security is easier than implementing NAT solutions.

Agreed, but you don't need a /56 in an IPv6 world to implement proper security either. You're wanting to tinker, and that's okay, but you don't need it for the tinkering you want to do.
said by magamiako:

Regardless, this conversation is pointless to move forward until you read up on CCNA and JNCIA-Security certs.

Before throwing rocks, you may want to read back on some of your posts in this thread.
said by magamiako:

I'm not reinventing the wheel here. The knowledge I'm explaining is *very* basic network design and management, and it's already been implemented. There is no real fundamental difference between v4 and v6 network design from a routing perspective EXCEPT the reduction in the usage of NAT technologies.

I will generally agree to this, but let's bring it back to the discussion at hand which was the differences in deployment of IPv4 vs IPv6 by an ISP to a residential subscriber or even a small business (less than 50 employees). You were saying you needed a larger allocation, such as a /56 presumably to do certain things and when asked such as what we started to have a bit of a discussion.
AVonGauss

AVonGauss to voiptalk

Premium Member

to voiptalk
said by voiptalk:

IPv6 Simple Security for Residential CPE: »tools.ietf.org/html/rfc6092

Interesting, thanks for the link. Have any vendors shown interest or indications that they will provide an implementation that you are aware of?
magamiako
join:2006-01-14
Irvine, CA

magamiako to AVonGauss

Member

to AVonGauss
Keep in mind the term "small business" can include 250 employees. Though most people typically see a "small business" as 25/50 employees, depending on what they do.

Even then you may need multiple networks. Right now it's implemented with internal addressing and NAT. That's nearly impossible/difficult/highly discouraged with IPv6.

Not the least of which is say, having the ability to have "public wifi" at your place of business.

Because of that, you need multiple networks--period. You cannot do these things reasonably on a single /64.
voiptalk
join:2010-04-10
Gainesville, VA
MikroTik RB750G
Cisco DPC3941

voiptalk to AVonGauss

Member

to AVonGauss
The only place I've seen reference to IPv6 Simple Security being implemented is in the just announced D-Link DHP-1565 router's user manual.

See page 82: »ftp://ftp.dlink.cz/dhp/dhp-156 ··· 1003.pdf

aefstoggaflm
Open Source Fan
Premium Member
join:2002-03-04
Bethlehem, PA
Linksys E4200
ARRIS SB6141

aefstoggaflm to AVonGauss

Premium Member

to AVonGauss
said by AVonGauss:

said by magamiako:

Implementing security in those devices *already exists*. Cisco and Juniper have had IPv6-capable devices for many years. I power my network with a Juniper SSG5, and before that I had a NetScreen 5GT (EOL'd in 2009) that had full IPv6 security and capabilities.

This would be a typical home gateway? I can run down to my local Walmart, Best Buy or Office Depot and pick one up?

Great question.

I believe the answer to that question is a yes.
AVonGauss
Premium Member
join:2007-11-01
Boynton Beach, FL

1 recommendation

AVonGauss

Premium Member

said by aefstoggaflm:

Great question.

I believe the answer to that question is a yes.

You must have better equipped local stores than I do here. What I was trying to point out is while consumer targeted devices are starting to pick up IPv6 support, their level of support especially in the area of being a security device is basic or non-existent at this point. We can use iptables to get the job done, but I don't want to explain that to my next door neighbor.
magamiako
join:2006-01-14
Irvine, CA

1 recommendation

magamiako

Member

Avon:

Allow me to ask you this question. What do you consider a 'security' device?

Nearly all home gateways have built-in SPI firewalls and some devices even have built-in antivirus/Layer 7 support.

Just because an *EXISTING* home gateway *MAY NOT* have support for SPI and instead was relying on NAT tables for security *DOES NOT* mean that new devices won't come out that implement an SPI firewall. Nor does it preclude them from being added later to the system's firmware.

For that matter, configuration pages between the two can be made to look *identical*. And to your average home user who has NO experience working with SMB level hardware will still be able to do the same configuration they do now with NAT, with the exception of they will NOW be able to say "I want to run multiple xboxes in my house with Xbox Live and not have weird issues with having to forward ports."
AVonGauss
Premium Member
join:2007-11-01
Boynton Beach, FL

1 recommendation

AVonGauss

Premium Member

said by magamiako:

Avon:

AVonGauss or even Aaron - Avon is just wrong.
said by magamiako:

Allow me to ask you this question. What do you consider a 'security' device?

That's a great question, for this discussion, the same type of "comfort level" that people get from being behind a NAT based device. I know, that's a horrible definition, but most people look at their gateway as the first line of defense and that's not likely to change in an IPv6 world. And consumers or small businesses (generally, under 50 employees and no dedicated IT resources) generally don't want to have to think about it or even really configure it.
said by magamiako:

Nearly all home gateways have built-in SPI firewalls and some devices even have built-in antivirus/Layer 7 support.

For IPv4.
said by magamiako:

Just because an *EXISTING* home gateway *MAY NOT* have support for SPI and instead was relying on NAT tables for security *DOES NOT* mean that new devices won't come out that implement an SPI firewall. Nor does it preclude them from being added later to the system's firmware.

Many provide both services, for IPv4.
magamiako
join:2006-01-14
Irvine, CA

1 edit

magamiako

Member

And you really think large vendors are going to release devices without built-in firewalls for IPv6?

At this stage in the game there's little difference between a 'firewall' and a gateway device, for all intents and purposes.

There are routers without firewalls, but few firewalls without routers. You can put many firewalls in transparent operation but this is not default operation for any device I've worked with (includes ASA series Cisco and SRX/SSG gateways by Juniper).

Therefore, it's solidly reasonable to assume that pretty much every major vendor of home networking gear (Cisco, D-Link, Netgear) will provide some form of firewalling for IPv6 for at least a few of their existing devices with far more improved performance and support in newer devices.

* Also includes Sonicwall TZ-series services gateways.
AVonGauss
Premium Member
join:2007-11-01
Boynton Beach, FL

1 recommendation

AVonGauss

Premium Member

said by magamiako:

And you really think large vendors are going to release devices without built-in firewalls for IPv6?

They already have, I'm running one at home myself, made by D-Link.
said by magamiako:

At this stage in the game there's little difference between a 'firewall' and a gateway device, for all intents and purposes.

Agreed.
said by magamiako:

There are routers without firewalls, but few firewalls without routers. You can put many firewalls in transparent operation but this is not default operation for any device I've worked with (includes ASA series Cisco and SRX/SSG gateways by Juniper).

I still can't find those at my local store.
said by magamiako:

Therefore, it's solidly reasonable to assume that pretty much every major vendor of home networking gear (Cisco, D-Link, Netgear) will provide some form of firewalling for IPv6 for at least a few of their existing devices with far more improved performance and support in newer devices.

I agree newer products will incorporate better security mechanisms for IPv6 in the future, even if the subscriber only has a /64 allocation. Mainstream suppliers, imho, are more likely to release new product revisions than releasing free firmware upgrades that provide new features for existing products.
magamiako
join:2006-01-14
Irvine, CA

magamiako

Member

I still don't quite get what you mean by 'security' mechanisms for IPv6?

The only thing that at its core is really needed is a decision on whether or not to forward a packet across the network. This can be handled in many different ways, the most basic is merely checking a policy/rule/state table to determine if the packet matches certain criteria and should be forwarded.

Anything else (IDS/IPS/Layer 7/Martian/Bogon/Enforcing standards operation/Network Scanning/Flood Protection) is pretty much extra and I expect will vary quite significantly depending on the target audience of the device.
AVonGauss
Premium Member
join:2007-11-01
Boynton Beach, FL

AVonGauss

Premium Member

said by magamiako:

I still don't quite get what you mean by 'security' mechanisms for IPv6?

One of the few benefits of our IPv4 NAT world with single IP allocation is most home gateways reject or drop packets that they are not expecting or are specifically configured to forward. The trick is not how to mechanically implement security, but rather how to present and implement it in a consumer friendly manner.
magamiako
join:2006-01-14
Irvine, CA

magamiako

Member

The same way that it's done now? a web interface?

How would it be any different?

You have a default deny rule that you don't need to modify/expose via a web interface, and you give a web interface similar to the existing NAT interfaces today?

You expand the "DMZ" interface that most people have access to in their web gateways to be replaced with "Forward All traffic to $IP"; which can now be done with multiple IPs.

People already need to "static" their addresses to make these "DMZ" mechanisms work, and similar behavior can be done with IPv6.

At the end of the day, web interfaces can change VERY minimally to the end user.
magamiako

magamiako

Member

The big trick is handling SLAAC/and Privacy Extensions.

I've handled this in my network in a manner where I merely allow the port to the "entire network" regardless of the resulting destination address.

In this manner, any temporary address that any of my PCs generate will be able to solicit incoming connections on a "catch all" firewall rule.

NetDog
Premium Member
join:2002-03-04
Hollywood, FL

1 recommendation

NetDog to Wayne99021

Premium Member

to Wayne99021
Can everyone agree NAT is not a "security" mechanism/firewall/feature/function? Yes it does act a little like a security function, but in truth it is a translation function and not a security function. I really hate seeing new users and younger people thinking NAT is a security function and thinking that is all they need. Then they look at IPv6 and say but where is the security?

I have been working in the IPv6 area for sometime now and the NAT/Security issue is everyone's number one question.

The internet has alot of free stuff out there for people to read and learn about IPv6.. Here are some resources for everyone.

»getipv6.info/index.php/E ··· out_IPv6

Also if your in Denver the 2012 North American IPv6 Summit, is April 9-11, 2012.. »www.rmv6tf.org/
magamiako
join:2006-01-14
Irvine, CA

magamiako

Member

It's very difficult getting this point across to people I'm afraid...which is the core of most of the argument I'm receiving from people when trying to explain the issue.
AVonGauss
Premium Member
join:2007-11-01
Boynton Beach, FL

1 recommendation

AVonGauss to NetDog

Premium Member

to NetDog
said by NetDog:

Can everyone agree NAT is not a "security" mechanism/firewall/feature/function? Yes it does act a little like a security function, but in truth it is a translation function and not a security function. I really hate seeing new users and younger people thinking NAT is a security function and thinking that is all they need. Then they look at IPv6 and say but where is the security?

To most technically inclined people, no, it is not. However, for the average user it acts and quacks like a firewall, hence its a security mechanism. Any consumer level gateway that I've looked at, the IPv6 side does not provide a comparable security mechanism so its up to the individual devices. Not to leave out the fact you may want some devices exposed, while others you do not regardless of their own capabilities.
magamiako
join:2006-01-14
Irvine, CA

magamiako

Member

Which consumer-level devices have you looked at with IPv6 interfaces?

If you're talking PFSense, it's been behind on IPv6 support for a long time. But you can accomplish this with utilizing 'ip6tables' which has the same rules as IPtables(v4). The only difference is that instead of 2 rules (one for prerouting/nat, the other for forwarding); you can now utilize only a forwarding rule to decide whether to allow the traffic through.

So in essence, it's easier to manage.
AVonGauss
Premium Member
join:2007-11-01
Boynton Beach, FL

AVonGauss

Premium Member

said by magamiako:

Which consumer-level devices have you looked at with IPv6 interfaces?

If you're talking PFSense, it's been behind on IPv6 support for a long time. But you can accomplish this with utilizing 'ip6tables' which has the same rules as IPtables(v4). The only difference is that instead of 2 rules (one for prerouting/nat, the other for forwarding); you can now utilize only a forwarding rule to decide whether to allow the traffic through.

So in essence, it's easier to manage.

No, the average consumer is not running a device or computer using pfSense nor do they have the knowledge or desire to learn iptables. I've said it many times already on this thread, when I say consumer level device I'm talking about the one's you can find at Walmart, Best Buy, Office Depot or your other favorite local store.
magamiako
join:2006-01-14
Irvine, CA

magamiako

Member

And which of these has an IPv6 configuration interface? I have yet to see any and I regularly set up Linksys E-series devices for friends and family.

They might not have IPv6 configuration right now, but that doesn't mean as v6 becomes prevalent there won't be a firmware update which enables these GUIs.

You're making statements based on things that don't yet exist. I'm making statements on utilities and hardware that already exist and I've put into production use.
AVonGauss
Premium Member
join:2007-11-01
Boynton Beach, FL

AVonGauss

Premium Member

said by magamiako:

And which of these has an IPv6 configuration interface? I have yet to see any and I regularly set up Linksys E-series devices for friends and family.

A quick Google search returns...

»support.netgear.com/app/ ··· -routers

»en.wikipedia.org/wiki/Co ··· _routers

»www.sixxs.net/wiki/Routers

... etc.

NetDog
Premium Member
join:2002-03-04
Hollywood, FL

NetDog to AVonGauss

Premium Member

to AVonGauss
said by AVonGauss:

Not to leave out the fact you may want some devices exposed, while others you do not regardless of their own capabilities.

I can't agree with you more.. I have this case going on in my house. I have 10 Cisco phones using callMGR express via IPv6. These phones are on a vlan other then my main and they are using FC00::/64 network. I am not an average user, I know.

»en.wikipedia.org/wiki/Un ··· _address
magamiako
join:2006-01-14
Irvine, CA

magamiako to AVonGauss

Member

to AVonGauss
Some of those devices have no exposure to IPv6 in their GUIs. Some require extra utilities such as DD-WRT or OpenWRT.

Again, point out to me how or where a user would get confused over IPv6 configuration in their device that has nothing to do with the current tunnel fiasco that we deal with now? Assuming IPv6 native on the outside and inside interfaces?

Right now things are a bit confusing due to transition technologies. But really all it comes down to is the interface...
magamiako

magamiako to NetDog

Member

to NetDog
said by NetDog:

said by AVonGauss:

Not to leave out the fact you may want some devices exposed, while others you do not regardless of their own capabilities.

I can't agree with you more.. I have this case going on in my house. I have 10 Cisco phones using callMGR express via IPv6. These phones are on a vlan other then my main and they are using FC00::/64 network. I am not an average user, I know.

»en.wikipedia.org/wiki/Un ··· _address

How's a simultaneous GUA/ULA deployment work out? I know there's some RFCs out there that try to enforce preference of ULA to GUA but I could see it being a problem in devices that don't currently implement that. Have you had any issues or concerns other than the fact that you'll have both GUA/ULA in DNS as well as dual policies?

NetDog
Premium Member
join:2002-03-04
Hollywood, FL

NetDog

Premium Member

On my home network I am using GUA or ULA per VLAN but not both. So I am not doing simultaneous GUA/ULA deployment at my house. But there is concern about having both on the same network yes. How does an app know to use the ULA vers the GUA.

Really the only spot I am using ULA is on my voice network, so no GUA is needed. But this works really well for me.

For the people that don't already know:
Unique Local Address (ULA)
Global Unicast Address (GUA)
magamiako
join:2006-01-14
Irvine, CA

1 edit

magamiako

Member

I believe there's an RFC on this but I can't find it...still searching.

Found it:

»tools.ietf.org/html/draf ··· evise-05

Mike Wolf
join:2009-05-24
Tuckerton, NJ

1 recommendation

Mike Wolf to ctgreybeard

Member

to ctgreybeard
said by ctgreybeard:

said by AVonGauss:

said by Mike Wolf:

I know it supports 6rd tunnel manual and automatic because thats what I'm using with HE, and I know it supports IPv6 automatic.

Are you that's not 6in4 instead of 6rd?

My E3200 only supports 6rd manually configured or automatic. IPv6 Automatic mode doesn't connect to Comcast's network so I take that to mean it doesn't support 6in4. There is supposed to be a firmware update in March so maybe that will then allow 6in4.

Well March came and went without any updates or changes and even the new EA line of routers have the same limited IPv6 settings.

RR Conductor
Ridin' the rails
Premium Member
join:2002-04-02
Redwood Valley, CA

RR Conductor

Premium Member

This is what my Asus RT-N66U has for IPv6-

Disable
Native
Native with DHCP
Tunnel 6to4
Tunnel 6in4
Tunnel 6rd

I'm running a 6in4 Tunnel via Hurricane Electric.

Mike Wolf
join:2009-05-24
Tuckerton, NJ

1 edit

Mike Wolf

Member

I was referring to the Cisco Linksys E and EA routers.

telcodad
MVM
join:2011-09-16
Lincroft, NJ

telcodad to AVonGauss

MVM

to AVonGauss
FYI - An item on the FierceTelecom site today about IPv6 security issues:

IPv6 security a growing concern as Blue Coat, Akamai note malware, exploits
By Samantha Bookman, FierceTelecom - April 11, 2012
»www.fiercetelecom.com/st ··· 12-04-11