On Wed, 2010-07-21 at 20:37 -0700, Owen DeLong wrote:
I can throw a COTS d-link box with
address-overloaded NAT on a connection and have reasonably effective network security and anonymity in IPv4. Achieving comparable results in the IPv6 portion of the dual stack on each of those hosts is complicated at best.
Actually, it isn't particularly hard at all... Turn on privacy addressing on each of the hosts (if it isn't on by default) and then put a linux firewall in front of them with a relatively simple ip6tables configuration for outbound only.
All respect to someone that knows his stuff, and I do realise that the OP mentioned small-scale hardware, but in the wider world (and even the world of home users as seen from the carrier side) any solution that says "do <whatever> on every host" is just not workable. As for the Linux packet filter, that's an exercise for the advanced home user. Outside the home environment - well, most people here have traffic rates that would leave a Linux firewall a melted puddle of slag. It has to be a standards based solution, implemented in silicon. That said, you get 99% of everything worth having out of NAT with a packet filter that says "allow established and related in, allow anything out, block everything else". That can be implemented trivially on just about any router from the tiniest piece of CPE up to the Cisco and Juniper refrigerator boxes, and I would expect to see it the default in any IPv6 CPE (when they at last begin appearing). While there are people who want anonymity (by which they mean not exposing actual addresses to the Internet), I am of the opinion that this is little more than another version of security through obscurity, and that the very minor benefit it may confer is massively outweighed by the operational impost. Some people don't want their MAC addresses exposed to the Internet, so they don't want to use IPv6 autoconf addresses. I feel pretty much the same way about that idea as I do about the other, but at least there is a simple, standard solution for it - DHCP. DHCP is far less obstructive to troubleshooting and logging than privacy addresses. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF