Thinking about IPv6

Do you think most of you will simply put your firewalls into bridge mode? I have been trying to wrap my head around how I am going to implement IPV6 on my client networks. I am not thrilled about having all of my devices naked and exposed on the internet, but IPv6 doesn't really use what we now think of as private networking. It will also take some getting used to putting routable IP addresses in my DHCP scope.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Turgon

it_consultant wrote: »

Do you think most of you will simply put your firewalls into bridge mode? I have been trying to wrap my head around how I am going to implement IPV6 on my client networks. I am not thrilled about having all of my devices naked and exposed on the internet, but IPv6 doesn't really use what we now think of as private networking. It will also take some getting used to putting routable IP addresses in my DHCP scope.

There is NAT for IPv6. Avoid IPv6 if you can for now. It is the work of the devil.

it_consultant

Last I read NAT for IPv6 was almost completely theoretical. Has an RFC been put forth that has changed that? That was the question that got me pondering, 'how am I going to segregate my networks from the public internet'? I don't have a problem with bridging firewalls, more or less I think that we are not taking this seriously enough as IT professionals. Our world is bound to change. We will probably go through an IT professional purge as people refuse or are incapable of learning IPv6.

networker050184

NAT isn't really providing you any security so it isn't a big deal IMO. I don't see why you would need to bridge the firewall either. You will just have public addresses on the inside and outside rather than private inside.

Priston

I've been looking for a home router I can use to play with IPv6. I wish these hardware vendors would advertise there stuff as IPv6 ready.

@ networker aren't FD00 private addresses?

Turgon

it_consultant wrote: »

Last I read NAT for IPv6 was almost completely theoretical. Has an RFC been put forth that has changed that? That was the question that got me pondering, 'how am I going to segregate my networks from the public internet'? I don't have a problem with bridging firewalls, more or less I think that we are not taking this seriously enough as IT professionals. Our world is bound to change. We will probably go through an IT professional purge as people refuse or are incapable of learning IPv6.

Cisco IOS IPv6 Configuration Guide, Release 12.4 - Implementing NAT-PT for IPv6 [Cisco IOS Software Releases 12.4 Mainline] - Cisco Systems

it_consultant

networker050184 wrote: »

NAT isn't really providing you any security so it isn't a big deal IMO. I don't see why you would need to bridge the firewall either. You will just have public addresses on the inside and outside rather than private inside.

I am assuming that my ISP is handling the actual routing, no need to route between my firewall and their device, might as well bridge.

it_consultant

Turgon wrote: »

Cisco IOS IPv6 Configuration Guide, Release 12.4 - Implementing NAT-PT for IPv6 [Cisco IOS Software Releases 12.4 Mainline] - Cisco Systems

I thought this might be what you were talking about after I questioned you. I figure I will run IPv6 inside my domain once the web becomes more IPv6 friendly making NAT-PT unnecessary. I am thinking that trying to tunnel or whatever to maintain IPv4 is going to be too much of a pain in the ass to do for a whole domain. Perhaps if we have legacy applications I will have one NIC IPv4 and one IPv6 or whatever, but its one of those things that I think will be best dove into head first and not looking back.

This is interesting - the original RFC for NAT-PT (or network address translation / protocol translation) is not recommended for use. Is Cisco recommending it anyway?

http://tools.ietf.org/html/rfc4966

MentholMoose

Just set the firewall to default deny, or set otherwise appropriate deny rules, and it doesn't matter if the internal machines have routable IPs or not. My last employer had a class B IPv4 block so we didn't lack IP addresses and thus didn't use NAT, and it was no problem since the firewalls were configured to block traffic we didn't want.