Hi,
I'm doing some general research into how IPv6 is currently provisioned by various ISPs, so thought I'd ask you all some questions. As background, I work for a small firewall developer that is looking at supporting IPv6 (finally), so understanding how it's used in practice sheds a lot more light than all those RFCs.
1. For native IPv6 (no tunnel), what sort of prefix are you allocated? I.e. Do you get a combination of a /64 for the WAN, and a /48 DHCPv6-PD/Delegated prefix for your LANs? Or do you only get a single /64?
2. If you are assigned a dynamic prefix, how do you deal with security? Assume not all your PCs have an IPv6 firewall, so you need to firewall at the edge router. In particular
a) Let's say you want to stop the kids computers from using IRC, so you want to block tcp-6667 for their machines, but keep access for yours. Can you do that now? Do you force your machines to have static IPs/EUI-64 rather than dynamic "privacy-extension" IPs?
b) Let's say you want to host a small web site, and use a dynamic DNS client (to keep the DNS entry pointing to the correct IP). You need to open up inbound tcp-80 traffic to just your webserver and nothing else. Can you do that now? If so how do you deal with your server's IPv6 changing over time?
3. Probably not many/any are doing this, but if you have multiple sites on IPv6 linked over VPNs, what addressing scheme are you using for all the LANs on each site: Do you just use the IPv6 global prefixes assigned by the ISP, or do you use Unique Local Addresses (ULA)?
4. Is there something missing from your router's IPv6 support (aside from NAT
) that you really wish it had?
Thanks for your time.