| 1 |
On 01/20/12 05:07, Tanstaafl wrote: |
| 2 |
> On 2012-01-19 5:32 PM, Mick <michaelkintzios@×××××.com> wrote: |
| 3 |
>> On Thursday 19 Jan 2012 15:48:32 Michael Mol wrote: |
| 4 |
>>> On Thu, Jan 19, 2012 at 10:37 AM, Tanstaafl<tanstaafl@×××××××××××.org> wrote: |
| 5 |
>>>> I have a reasonable grasp of how to use IP addresses etc with IPv4, but |
| 6 |
>>>> every time I start rading about IPv6 I get a headache... |
| 7 |
>>>> |
| 8 |
>>>> Does anyone know of a decent tutorial written specifically to those who |
| 9 |
>>>> have an ok (but not hugely in-depth) understanding of IPv4, and doesn't |
| 10 |
>>>> get bogged down in too many technical details, but simply explains what |
| 11 |
>>>> you need to know to be able to transition to it and use it effectively |
| 12 |
>>>> *and securely* - and/or how *not* to have to expose your entire private |
| 13 |
>>>> network to the world (what IPv4 NAT protects you from)? |
| 14 |
> |
| 15 |
>>> I've been doing IPv6 presentations at LUGs and tech cons, and I'm |
| 16 |
>>> getting scheduled for a few IPv6 topics at Penguicon...but I'm pretty |
| 17 |
>>> sure I'm also not the most knowledgeable on this list wrt IPv6, |
| 18 |
>>> either. Still, what would you like to know? (I can use your questions |
| 19 |
>>> as fodder and experience for future presentations. ^^) |
| 20 |
> |
| 21 |
>> Now that IPv6 is enabled by default on Linux, is one meant to duplicate all |
| 22 |
>> the IPv4 iptable rules also for IPv6? I'm using arno ip tables and from what |
| 23 |
>> I saw in the config file it is either 4 or 6 that one can activate. Perhaps |
| 24 |
>> this has improved with later versions. |
| 25 |
> |
| 26 |
> That was the very first question (and headache) I got from looking at this. |
| 27 |
> |
| 28 |
>> The OP would probably have more questions, but if you ever pull together a |
| 29 |
>> pack of slides I would much appreciate a link to look at them. |
| 30 |
> |
| 31 |
> I really wouldn't know where to start... that is why I was looking for a decent tutorial that covered the topic in total, so I could hopefully |
| 32 |
> get to the point that I *could* ask some intelligent questions about it... |
| 33 |
> |
| 34 |
> One very general question I have is, how can you - or even *can* you - hide all of your internal devices from the outside world, similar to how |
| 35 |
> the use of 'private' IP's behind a NAT'd firewall are hidden from the outside world (nor directly accessible). I definitely do *not* want all of |
| 36 |
> my internal devices directly accessible from the internet. |
| 37 |
> |
| 38 |
|
| 39 |
If you want a good place to start, try Mark Newton's AusCERT IPv6 talk. |
| 40 |
http://risky.biz/AusCERT-Newton |
| 41 |
It's not exactly "laymen", but I still recommend it. It's a good talk taking your IPv4 knowledge and comparing it to the IPv6 equivalents, and |
| 42 |
brings up some good general ideas that make you think of IPv6 in a practical sense. Unfortunately I haven't found a video version of it. :( |
| 43 |
|
| 44 |
I've done a hand full of IPv6 conversions, small to medium networks, I'd be willing to answer some questions if you need help. |
| 45 |
|
| 46 |
As for your general question, the short answer is you can't. If you need internet access, then you will have to have public IPs. |
| 47 |
|
| 48 |
Question: Why do you want to hide internal devices? I don't expect an answer, this is something you should ask yourself. |
| 49 |
|
| 50 |
Is it to protect running services from attack/discovery? Great, that's what your firewall is for, so you don't need to worry about private |
| 51 |
addresses. Another option is to deploy IPSec for internal services, this would hide internal services even from hosts on the private address |
| 52 |
space unless they are trusted though IPSec rules. |
| 53 |
|
| 54 |
Is it to hide the actual devices? or your network architecture/topology? Scanning for host discovery in IPv6 is not feasible. Consider how big |
| 55 |
IPv6 is. A typical host discovery scan on an IPv4 private network can be done in a few hours. Given a (really fast) average host discovery of |
| 56 |
1000 hosts a second, lets apply some math to your internal IPv6 range. We'll compare both ::/64 and ::/48, which amounts to 2^64 and 2^80 |
| 57 |
addresses. Your host discovery scan would take between 600 million, and 38 trillion years to check each IP. |
| 58 |
|
| 59 |
If you still want private addresses, IPv6 has unique local addresses (fc00::/7 range, http://www.sixxs.net/tools/grh/ula/ has a reg form to help |
| 60 |
assign a /48 to you). But since there's no address translation, your stuck running dual networks for everything that needs a private address |
| 61 |
and internet access. It's not entirely a bad thing, but it can be a long tedious process, and some software sucks at it (mysqld). |
| 62 |
|
| 63 |
Hope that helps. |
| 64 |
Chris |
Archives