Steven M Bellovin writes:
I'll give just example, using your suggestion of converting DMZ: how do you keep your firewall rules consistent between v4 and v6 addresses and prefixes?
This is indeed a major issue in our (internal) dual-stack deployment. Our firewall rules (actually just stateless ACLs on our data-center routers) are generated from high-level rules, but the generator can only generate IPv4 ACLs. Since we failed to convince the responsible team to add IPv6 ACL generation, we wrote a script that converts IPv4 ACLs into IPv6 ACLs. The script extracts the IPv4->IPv6 address mapping from router configurations (for subnets), the DNS (for hosts), and itself (hardcoded exceptions)-: Works surprisingly well.
This involves vendor technology (the firewall box), communication with your ISP (handling prefix changes), local technology (you do have a change control process for firewall rules, right, and perhaps a database of machines and addresses?), and training.
But those are all issues that have to be addressed whether you are dual-stack or not. Our current mechanism (while a hack) is pretty transparent - the firewall rule update procedure is the same from the points of view of both the ruleset producers (security team) and consumers (who install the rules on the routers). It's just that the change reports now include IPv6 ACL changes. (Actually, the IPv6 ACLs don't "diff" as nicely as the IPv4 ones, because of an implementation shortcoming in our routers.)
It may also involve upgrading some of the servers because of the rapid changes in v6 support. (I'll cite a personal example: I upgraded the OS on a machine of mine recently, and found that my mailing lists weren't working. Why? Because the version of Postfix had been changed to one with v6 support, and I had to specify v6 loopback addresses in some mysterious place.)
This is typical for the kind of problems you will encounter when going dual-stack.
That's not to say this is an excuse for delay. Converting is going to get harder when you acquire more gear, not easier.
Right, but it's going to become easier as there are more (early) adopters that help iron out these issues for the community. -- Simon.