Op 5-6-2012 23:23, William Herrin schreef:
On 6/5/12, David Hubbard<dhubbard@dino.hostasaurus.com> wrote: Hi David,
Instead of going the book route, I'd suggest getting some tunneled addresses from he.net and then working through http://ipv6.he.net/certification/ .
They have the basics pretty well covered, it's interactive and it's free. +1 it's one of the best ways to learn. Do.
Some additional thoughts:
1. Anybody who tells you that there are security best practices for IPv6 is full of it. It simply hasn't seen enough use in the environment to which we're now deploying it and rudimentary technologies widely used in IPv4 (e.g. NAT/PAT to private address space) haven't yet made their transition. Well, not quite, but firewall rules work just the same as before. Use those. The longer version is that some people used from internet to any rules on their wan which in a IPv4 NAT really translated to allow everything to my external address. Unless you used 1:1 ofcourse, but I digress.
d. Default customer assignments should be /56 or /48 depending on who you ask. /48 was the IETF's original plan. Few of your customers appear to use tens of LANS, let alone thousands. Maybe that will change but the motivations driving such a thing seem a bit pie in the sky. /56 let's the customer implement more than one LAN (e.g. wired and wireless) but burns through your address space much more slowly. /60 would do that too but nobody seems to be using it. /64 allows only one LAN, so avoid it. You seem to miss a semi important thing here. Daisy chaining of routers in the premises. Some routers (pfSense included) allow for setting up prefix delegation,
In IPv6 such a rule really means anything internal. People that have administered firewalls that route public addresses will know exactly what I mean. this means that you can connect routers behind the one you have and still have native v6. Although the automatic setup system I wrote for this works with /56 networks it will only setup PD for /64 networks at this point. I allocate a part of the assigned /56 network for prefix delegation automatically. If the PD is /48 I can delegate /56 networks to the subrouters, which on their turn can delegate /64 networks to another sub router. It's not that the user itself will actually assign all those networks, but routers will do automatically and you need proper route aggregation. It's unlikely that all networks will be directly assinged as /64 networks either, it could also be multiple routers. Even if it was done manually I'd assign a /60 route out of a /56 PD. The notion that it will always be a /64 is... well. Regards, Seth