dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2513
share rss forum feed


elwoodblues
Elwood Blues
Premium
join:2006-08-30
Somewhere in
kudos:2
Reviews:
·VMedia

1 recommendation

reply to 34764170

Re: Status of ipv6 with Canadian ISP

I think this is where we are confused.

Yes everything I have set-up is with port forwarding. I'm getting the impression from you that with IPv6 you would just open up an entire server (and perhaps workstations) to the net, since there would such a plethora of ip space
--
No, I didn't. Honest... I ran out of gas. I... I had a flat tire. I didn't have enough money for cab fare. My tux didn't come back from the cleaners. An old friend came in from out of town. Someone stole my car. There was an earthquake.......



elwoodblues
Elwood Blues
Premium
join:2006-08-30
Somewhere in
kudos:2

1 recommendation

reply to Steve

I don't confuse NAT with Firewall by any means.



Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

1 recommendation

reply to elwoodblues

said by elwoodblues:

I think this is where we are confused.

If you believe that running a standard, non-NAT, routed network is the same as being wide open to the internet, it's clearly you who are confused.

It's totally possible and straightforward to set up firewall rules that don't involve NAT but still provide the same level of protection you have with your NAT at home.

The thing is: It's not NAT that provide the security, it's the stateful inspection, that same inspection being part of the non-NAT firewall.

Steve
--
Stephen J. Friedl | Unix Wizard | Security Consultant | Orange County, California USA | my web site

34764170

join:2007-09-06
Etobicoke, ON

1 recommendation

reply to elwoodblues

said by elwoodblues:

I think this is where we are confused.

Yes everything I have set-up is with port forwarding. I'm getting the impression from you that with IPv6 you would just open up an entire server (and perhaps workstations) to the net, since there would such a plethora of ip space

No, firewalls whether in a business environment or at home should have a default block all policy. That results in having the same behaviour as NAT which "blocks" traffic since there is no mapping between the outside routable IP and inside address(es) until there is port forwarding implemented. I meant being able to apply pass/allow rules to a firewall to allow certain services to be accessible from the outside. Which is functionality equivalent as using port forwarding although with more flexibility since each device also has a routable address.

DSL_Ricer
Premium
join:2007-07-22
kudos:3

1 recommendation

reply to rogersmogers

said by rogersmogers :

What part of the internet can you not access?

Incoming connection to many mobile phones in Europe and Asia. Increasingly, regular internet subscribers too.
Certain forms of VPN also require unique source and destination IP address pairs. So two people/systems behind the same NAT can't connect to the same endpoint.
I'd assume that most NAT routers only support tcp, udp and icmp. So newer protocols would probably be unusable.


spock

join:2012-07-08
Reviews:
·TekSavvy DSL

1 recommendation

reply to Bill C

said by Bill C:

TSI may be similar to Skyway West, we assign a /48 to each customer with multiple sites and a /64 to each network segment/site. From our perspective, a /64 is the new /24 (also know as a class C).

No i have confirmed teksavvy in the west assigns ips from the same /64. Obviously it's just a beta so I can only assume in the future they will at least give each user a whole /60 so they could have a few subnets of their own. I personally have wireless on one, iptv on another and general inet on the last one. I currently do this all behind a nat. With ipv6 there will be no nat so I will need a few subnets from my ISP. Giving a customer just 1 subnet , /64 , is silly. Sure there is 2^64 ips in a /64 but we need to start thinking that a /64 is the old ipv4 /24. i could manually subnet a /64 but from my understanding to use all the current and future features of ipv6 the smallest I can go is /64

InvalidError

join:2008-02-03
kudos:5

1 recommendation

reply to stevey_frac

said by stevey_frac:

You can still get NAT levels of protection with public IPs.

People who believe NAT is magically more secure simply misunderstand why it is so. Stateful firewalling is an intrinsic prerequisite to NAT: can't do NAT without stateful connection tracking to determine which packets belong to which LAN client.

As you said, stateful firewall on IPv6 is every bit as secure as NAT on IPv4: incoming connections get denied by default.


SimonJones
MTS Allstream Alliance

join:2010-09-16
Mississauga, ON
reply to spock

Allstream went live on IPv6 about 18 months ago.

»www.allstream.com/solutions/it-n···Pv6.html


mactalla

join:2008-02-19
kudos:1

2 recommendations

reply to paul248

said by paul248:

Are you sure that you're actually limited to a single IP, or can you grab any number of addresses as long as you participate in Neighbor Discovery?

If it's the latter, then you might be able to hack something together using 6relayd:

»github.com/sbyx/6relayd

Thanks for mentioning this. I just tried it out (same ISP as the OP). Either I've misconfigured something or their config can't handle more than 1 IP per PPPoE connection.

Watching both the WAN and LAN interfaces I see the Router Advertisements get relayed. I don't actually see the Neighbour Solicitation/Advertisements relayed out to the WAN interface though I've asked 6relayd to relay it all and machines on the LAN are getting IPs in the correct prefix. It is updating the routing table to accommodate the IPs on the LAN and from the LAN I can ping either the LAN or WAN interfaces of the router. But when pinging out to the Net I see the echo requests go out but nothing entering the WAN port.

I expected to see the neighbour solicitation/advertisement relayed to the WAN. Not sure why I don't see that.