Options
Thinking about IPv6
it_consultant
Member Posts: 1,903
in Off-Topic
Do you think most of you will simply put your firewalls into bridge mode? I have been trying to wrap my head around how I am going to implement IPV6 on my client networks. I am not thrilled about having all of my devices naked and exposed on the internet, but IPv6 doesn't really use what we now think of as private networking. It will also take some getting used to putting routable IP addresses in my DHCP scope.
Comments
-
OptionsTurgon Banned Posts: 6,308 ■■■■■■■■■□it_consultant wrote: »Do you think most of you will simply put your firewalls into bridge mode? I have been trying to wrap my head around how I am going to implement IPV6 on my client networks. I am not thrilled about having all of my devices naked and exposed on the internet, but IPv6 doesn't really use what we now think of as private networking. It will also take some getting used to putting routable IP addresses in my DHCP scope.
There is NAT for IPv6. Avoid IPv6 if you can for now. It is the work of the devil. -
Optionsit_consultant Member Posts: 1,903Last I read NAT for IPv6 was almost completely theoretical. Has an RFC been put forth that has changed that? That was the question that got me pondering, 'how am I going to segregate my networks from the public internet'? I don't have a problem with bridging firewalls, more or less I think that we are not taking this seriously enough as IT professionals. Our world is bound to change. We will probably go through an IT professional purge as people refuse or are incapable of learning IPv6.
-
Optionsnetworker050184 Mod Posts: 11,962 ModNAT isn't really providing you any security so it isn't a big deal IMO. I don't see why you would need to bridge the firewall either. You will just have public addresses on the inside and outside rather than private inside.An expert is a man who has made all the mistakes which can be made.
-
OptionsPriston Member Posts: 999 ■■■■□□□□□□I've been looking for a home router I can use to play with IPv6. I wish these hardware vendors would advertise there stuff as IPv6 ready.
@ networker aren't FD00 private addresses?A.A.S. in Networking Technologies
A+, Network+, CCNA -
OptionsTurgon Banned Posts: 6,308 ■■■■■■■■■□it_consultant wrote: »Last I read NAT for IPv6 was almost completely theoretical. Has an RFC been put forth that has changed that? That was the question that got me pondering, 'how am I going to segregate my networks from the public internet'? I don't have a problem with bridging firewalls, more or less I think that we are not taking this seriously enough as IT professionals. Our world is bound to change. We will probably go through an IT professional purge as people refuse or are incapable of learning IPv6.
Cisco IOS IPv6 Configuration Guide, Release 12.4 - Implementing NAT-PT for IPv6 [Cisco IOS Software Releases 12.4 Mainline] - Cisco Systems -
Optionsit_consultant Member Posts: 1,903networker050184 wrote: »NAT isn't really providing you any security so it isn't a big deal IMO. I don't see why you would need to bridge the firewall either. You will just have public addresses on the inside and outside rather than private inside.
I am assuming that my ISP is handling the actual routing, no need to route between my firewall and their device, might as well bridge. -
Optionsit_consultant Member Posts: 1,903
I thought this might be what you were talking about after I questioned you. I figure I will run IPv6 inside my domain once the web becomes more IPv6 friendly making NAT-PT unnecessary. I am thinking that trying to tunnel or whatever to maintain IPv4 is going to be too much of a pain in the ass to do for a whole domain. Perhaps if we have legacy applications I will have one NIC IPv4 and one IPv6 or whatever, but its one of those things that I think will be best dove into head first and not looking back.
This is interesting - the original RFC for NAT-PT (or network address translation / protocol translation) is not recommended for use. Is Cisco recommending it anyway?
http://tools.ietf.org/html/rfc4966 -
OptionsMentholMoose Member Posts: 1,525 ■■■■■■■■□□Just set the firewall to default deny, or set otherwise appropriate deny rules, and it doesn't matter if the internal machines have routable IPs or not. My last employer had a class B IPv4 block so we didn't lack IP addresses and thus didn't use NAT, and it was no problem since the firewalls were configured to block traffic we didn't want.MentholMoose
MCSA 2003, LFCS, LFCE (expired), VCP6-DCV