On Jul 22, 2010, at 12:49 AM, William Herrin wrote:
On Wed, Jul 21, 2010 at 5:37 PM, Owen DeLong <owen@delong.com> wrote:
http://tools.ietf.org/html/draft-arkko-ipv6-transition-guidelines There is a third major challenge to dual-stack that isn't addressed in the document: differing network security models that must deliver the same result for the same collection of hosts regardless of whether Ipv4 or v6 is selected. I can throw a COTS d-link box with address-overloaded NAT on a connection and have reasonably effective network security and anonymity in IPv4. Achieving comparable results in the IPv6 portion of the dual stack on each of those hosts is complicated at best.
Actually, it isn't particularly hard at all... Turn on privacy addressing on each of the hosts (if it isn't on by default) and then put a linux firewall in front of them with a relatively simple ip6tables configuration for outbound only.
From the lack of dispute, can I infer agreement with the remainder of my comments wrt mitigations for the "one of my addresses doesn't work" problem and the impracticality of the document's section 4.3 and 4.4 for wide scale Ipv6 deployment?
No, merely resignation to the fact that you don't get it. Owen