Thinking about IPv6

it_consultantit_consultant Member Posts: 1,903
Do you think most of you will simply put your firewalls into bridge mode? I have been trying to wrap my head around how I am going to implement IPV6 on my client networks. I am not thrilled about having all of my devices naked and exposed on the internet, but IPv6 doesn't really use what we now think of as private networking. It will also take some getting used to putting routable IP addresses in my DHCP scope.

Comments

  • TurgonTurgon Banned Posts: 6,308 ■■■■■■■■■□
    Do you think most of you will simply put your firewalls into bridge mode? I have been trying to wrap my head around how I am going to implement IPV6 on my client networks. I am not thrilled about having all of my devices naked and exposed on the internet, but IPv6 doesn't really use what we now think of as private networking. It will also take some getting used to putting routable IP addresses in my DHCP scope.

    There is NAT for IPv6. Avoid IPv6 if you can for now. It is the work of the devil.
  • it_consultantit_consultant Member Posts: 1,903
    Last I read NAT for IPv6 was almost completely theoretical. Has an RFC been put forth that has changed that? That was the question that got me pondering, 'how am I going to segregate my networks from the public internet'? I don't have a problem with bridging firewalls, more or less I think that we are not taking this seriously enough as IT professionals. Our world is bound to change. We will probably go through an IT professional purge as people refuse or are incapable of learning IPv6.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    NAT isn't really providing you any security so it isn't a big deal IMO. I don't see why you would need to bridge the firewall either. You will just have public addresses on the inside and outside rather than private inside.
    An expert is a man who has made all the mistakes which can be made.
  • PristonPriston Member Posts: 999 ■■■■□□□□□□
    I've been looking for a home router I can use to play with IPv6. I wish these hardware vendors would advertise there stuff as IPv6 ready.

    @ networker aren't FD00 private addresses?
    A.A.S. in Networking Technologies
    A+, Network+, CCNA
  • TurgonTurgon Banned Posts: 6,308 ■■■■■■■■■□
    Last I read NAT for IPv6 was almost completely theoretical. Has an RFC been put forth that has changed that? That was the question that got me pondering, 'how am I going to segregate my networks from the public internet'? I don't have a problem with bridging firewalls, more or less I think that we are not taking this seriously enough as IT professionals. Our world is bound to change. We will probably go through an IT professional purge as people refuse or are incapable of learning IPv6.

    Cisco IOS IPv6 Configuration Guide, Release 12.4 - Implementing NAT-PT for IPv6 [Cisco IOS Software Releases 12.4 Mainline] - Cisco Systems
  • it_consultantit_consultant Member Posts: 1,903
    NAT isn't really providing you any security so it isn't a big deal IMO. I don't see why you would need to bridge the firewall either. You will just have public addresses on the inside and outside rather than private inside.

    I am assuming that my ISP is handling the actual routing, no need to route between my firewall and their device, might as well bridge.
  • it_consultantit_consultant Member Posts: 1,903
    Turgon wrote: »

    I thought this might be what you were talking about after I questioned you. I figure I will run IPv6 inside my domain once the web becomes more IPv6 friendly making NAT-PT unnecessary. I am thinking that trying to tunnel or whatever to maintain IPv4 is going to be too much of a pain in the ass to do for a whole domain. Perhaps if we have legacy applications I will have one NIC IPv4 and one IPv6 or whatever, but its one of those things that I think will be best dove into head first and not looking back.

    This is interesting - the original RFC for NAT-PT (or network address translation / protocol translation) is not recommended for use. Is Cisco recommending it anyway?

    http://tools.ietf.org/html/rfc4966
  • MentholMooseMentholMoose Member Posts: 1,525 ■■■■■■■■□□
    Just set the firewall to default deny, or set otherwise appropriate deny rules, and it doesn't matter if the internal machines have routable IPs or not. My last employer had a class B IPv4 block so we didn't lack IP addresses and thus didn't use NAT, and it was no problem since the firewalls were configured to block traffic we didn't want.
    MentholMoose
    MCSA 2003, LFCS, LFCE (expired), VCP6-DCV
Sign In or Register to comment.