Bill, On 2010-07-22 19:49, William Herrin wrote:
On Wed, Jul 21, 2010 at 5:37 PM, Owen DeLong <owen@delong.com> wrote:
http://tools.ietf.org/html/draft-arkko-ipv6-transition-guidelines There is a third major challenge to dual-stack that isn't addressed in the document: differing network security models that must deliver the same result for the same collection of hosts regardless of whether Ipv4 or v6 is selected. I can throw a COTS d-link box with address-overloaded NAT on a connection and have reasonably effective network security and anonymity in IPv4. Achieving comparable results in the IPv6 portion of the dual stack on each of those hosts is complicated at best.
Actually, it isn't particularly hard at all... Turn on privacy addressing on each of the hosts (if it isn't on by default) and then put a linux firewall in front of them with a relatively simple ip6tables configuration for outbound only.
From the lack of dispute, can I infer agreement with the remainder of my comments wrt mitigations for the "one of my addresses doesn't work" problem and the impracticality of the document's section 4.3 and 4.4 for wide scale Ipv6 deployment?
As for those two scenarios (IPv6-only ISPs and IPv6-only clients, to simplify them), the document doesn't place them as first preference solutions. However, the fact is that various *extremely* large operators find themselves more or less forced into these scenarios by IPv4 exhaustion. I think it's more reasonable to describe solutions for them than to rule their problem out of order. Brian