1 |
On 01/20/12 05:07, Tanstaafl wrote: |
2 |
> On 2012-01-19 5:32 PM, Mick <michaelkintzios@×××××.com> wrote: |
3 |
>> On Thursday 19 Jan 2012 15:48:32 Michael Mol wrote: |
4 |
>>> On Thu, Jan 19, 2012 at 10:37 AM, Tanstaafl<tanstaafl@×××××××××××.org> wrote: |
5 |
>>>> I have a reasonable grasp of how to use IP addresses etc with IPv4, but |
6 |
>>>> every time I start rading about IPv6 I get a headache... |
7 |
>>>> |
8 |
>>>> Does anyone know of a decent tutorial written specifically to those who |
9 |
>>>> have an ok (but not hugely in-depth) understanding of IPv4, and doesn't |
10 |
>>>> get bogged down in too many technical details, but simply explains what |
11 |
>>>> you need to know to be able to transition to it and use it effectively |
12 |
>>>> *and securely* - and/or how *not* to have to expose your entire private |
13 |
>>>> network to the world (what IPv4 NAT protects you from)? |
14 |
> |
15 |
>>> I've been doing IPv6 presentations at LUGs and tech cons, and I'm |
16 |
>>> getting scheduled for a few IPv6 topics at Penguicon...but I'm pretty |
17 |
>>> sure I'm also not the most knowledgeable on this list wrt IPv6, |
18 |
>>> either. Still, what would you like to know? (I can use your questions |
19 |
>>> as fodder and experience for future presentations. ^^) |
20 |
> |
21 |
>> Now that IPv6 is enabled by default on Linux, is one meant to duplicate all |
22 |
>> the IPv4 iptable rules also for IPv6? I'm using arno ip tables and from what |
23 |
>> I saw in the config file it is either 4 or 6 that one can activate. Perhaps |
24 |
>> this has improved with later versions. |
25 |
> |
26 |
> That was the very first question (and headache) I got from looking at this. |
27 |
> |
28 |
>> The OP would probably have more questions, but if you ever pull together a |
29 |
>> pack of slides I would much appreciate a link to look at them. |
30 |
> |
31 |
> I really wouldn't know where to start... that is why I was looking for a decent tutorial that covered the topic in total, so I could hopefully |
32 |
> get to the point that I *could* ask some intelligent questions about it... |
33 |
> |
34 |
> One very general question I have is, how can you - or even *can* you - hide all of your internal devices from the outside world, similar to how |
35 |
> the use of 'private' IP's behind a NAT'd firewall are hidden from the outside world (nor directly accessible). I definitely do *not* want all of |
36 |
> my internal devices directly accessible from the internet. |
37 |
> |
38 |
|
39 |
If you want a good place to start, try Mark Newton's AusCERT IPv6 talk. |
40 |
http://risky.biz/AusCERT-Newton |
41 |
It's not exactly "laymen", but I still recommend it. It's a good talk taking your IPv4 knowledge and comparing it to the IPv6 equivalents, and |
42 |
brings up some good general ideas that make you think of IPv6 in a practical sense. Unfortunately I haven't found a video version of it. :( |
43 |
|
44 |
I've done a hand full of IPv6 conversions, small to medium networks, I'd be willing to answer some questions if you need help. |
45 |
|
46 |
As for your general question, the short answer is you can't. If you need internet access, then you will have to have public IPs. |
47 |
|
48 |
Question: Why do you want to hide internal devices? I don't expect an answer, this is something you should ask yourself. |
49 |
|
50 |
Is it to protect running services from attack/discovery? Great, that's what your firewall is for, so you don't need to worry about private |
51 |
addresses. Another option is to deploy IPSec for internal services, this would hide internal services even from hosts on the private address |
52 |
space unless they are trusted though IPSec rules. |
53 |
|
54 |
Is it to hide the actual devices? or your network architecture/topology? Scanning for host discovery in IPv6 is not feasible. Consider how big |
55 |
IPv6 is. A typical host discovery scan on an IPv4 private network can be done in a few hours. Given a (really fast) average host discovery of |
56 |
1000 hosts a second, lets apply some math to your internal IPv6 range. We'll compare both ::/64 and ::/48, which amounts to 2^64 and 2^80 |
57 |
addresses. Your host discovery scan would take between 600 million, and 38 trillion years to check each IP. |
58 |
|
59 |
If you still want private addresses, IPv6 has unique local addresses (fc00::/7 range, http://www.sixxs.net/tools/grh/ula/ has a reg form to help |
60 |
assign a /48 to you). But since there's no address translation, your stuck running dual networks for everything that needs a private address |
61 |
and internet access. It's not entirely a bad thing, but it can be a long tedious process, and some software sucks at it (mysqld). |
62 |
|
63 |
Hope that helps. |
64 |
Chris |