dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
19

Streetlight
join:2005-11-07
Colorado Springs, CO

Streetlight to biomesh

Member

to biomesh

Re: [IPv6] World IPv6 Launch is coming in a few days...

said by biomesh:

Just because an address is visible to other hosts on the Internet doesn't necessarily make it vulnerable. Security through obscurity is not a good model. You would still need a IPv6 capable firewall to protect your devices.

That's why one needs a router, at least today. The router provides Stateful Packet Inspection in addition to Network Address Translation, to be sure incoming packets are meant for your local (home) network. This is true even if you only have one computer connected to the Internet. Presumably a IPv6 capable router will also provide this level of security. I'm not sure how a network with a router can handle multiple IPv6 addresses, one for each device attached to an intranet.

See the Wikipedia page regarding Stateful Packet Inspection:

»en.wikipedia.org/wiki/St ··· firewall

PGHammer
join:2003-06-09
Accokeek, MD

PGHammer

Member

True.

However, a router with SPI that is IPv6-hostile is also not a good thing going forward. That is why a router with SPI that is not deliberately (and unchangingly) IPv6-hostile is important going forward. Such routers exist today (even in the home userspace, from Cisco/Linksys, Netgear, D-Link, Buffalo, ASUS, and others) and there are even retrofits for a large number of older routers with common third-party chipsets (especially those from Broadcom).

The big issues for home users and IPv6 aren't at the computer level, amusingly enough. Microsoft Windows (retail since Windows XP Service Pack 2, and back-patchable back to Windows 2000 Service Pack 4) is IPv6-aware and dual-stack. (Yes - this *includes* Windows 8 to date.) Mac OS X since Leopard, and any Linux distribution with at least kernel 2.6, is also IPv6-aware/dual-stack.

An SPI *and* IPv6-capable router should also support DHCPv6-PD (to handle IPv6 routing chores) in tandem with the existing DHCPv4 capability inherent in any router. Fortunately, most existing IPv6-ready routers (and third-party firmware for older routers) does meet this recommendation. You should still check the documentation for both router and firmware to be sure.

SHoTTa35
@optonline.net

SHoTTa35 to Streetlight

Anon

to Streetlight

I'm not sure how a network with a router can handle multiple IPv6 addresses, one for each device attached to an intranet.

An IPv6 router will be assigned a specific range of of addresses called a /64 or /56 or however long your ISP decides.

Take a look here at the Linksys screenshot - perfect example:

»[IPv6] Evidence of Comcast IPv6 CPE Dual Stack (CPE and CPEPD)

You will be assigned a block of addresses, for example:

2601:c:x:x;x:x:x

Your router will then give all your other devices an address say:

2601:c:5601:AF:23:11:11
2601:c:5601:2B:43:1c:1F
2601:c:5601:23bf:a30c:f33e

Or whatever - Those aren't exact IP addresses but you get the idea. Your router will also have the IPv6 Firewall which will block scans/pokes and whatever else coming to your addresses unsolicited.

This is why it's inportant to have a good firewall for IPv6 and not just enable tunnels back to your network. Surely you can connect to IPv6 networks but without the support of router or software firewall they can connect just as easily back to your system.