On 10/04/2015 06:40 AM, Matthias Leisi wrote:
Fully agree. But the current state of IPv6 outside "professional“ networks/devices is sincerely limited by a lot of poor CPE and consumer device implementations.
I have to ask: where is the book _IPv6 for Dummies_ or equivalent? Specifically, is http://www.xnetworks.es/contents/Infoblox/IPv6forDummies.pdf any good? (I just downloaded it to inspect.) My bookshelf is full of books describing IPv4. Saying "IPv6 just works" ignores the issues of configuring intelligent firewalls to block the ne-er-do-wells using the new IP-level protocol. In Robert L. Ziegler's book _Linux Firewalls_ Second Edition (2002, ISBN 0-7357-1099-6), the *only* mention of IPv6 is in the discussion of NAT, and that discussion is limited to "NAT is a stopgap until IPv6 achieves wide implementation. A preview of the Third Edition fails to mention ip6tables at all, the same lack that the Second Edition has. I use CentOS, the community version of Red Hat Enterprise. I looked around for useful books on building IPv6 firewalls with the same granularity as the above-mentioned book for IPv4, and haven't found anything useful as yet. In particular, I'm looking for material that lays out how to build a mostly-closed firewall and DMZ in IPv6. The lack of IPv6 support goes further: I didn't find anything useful in Red Hat (CentOS) firewall tools that provides IPv6 support...but that's probably because I don't know what I'm looking for. (Also, that GUI software is intended for use on individual servers/computers, not in a edge-firewall with forwarding and DMZ responsibilities.) Building a secure firewall takes more than just knowing how to issue ip6table commands; one also needs to know exactly what goes into those commands. NANOG concentrates on network operators who need to provide a good Internet experience to all their downstream customers, which is why I see the bias toward openness...as it should be. Those of us who run edge networks have different problems to solve. I'm not asking NANOG to go past its charter, but I am asking the IPv6 fanatics on this mailing list to recognize that, even though the net itself may be running IPv6, the support and education infrastructure is still behind the curve. Reading RFCs is good, reading man pages is good, but there is no guidance about how to implement end-network policies in the wild yet...at least not that I've been able to find. "ipv6.disable" will be changed to zero when I know how to set the firewall to implement the policies I need to keep other edge networks from disrupting mine.