Pointer for documentation on actually delivering IPv6
Probably a case of something being blindingly obvious but... I have seen plenty of information on IPv6 from a internal network standpoint. I have seen very little with respect to how a ISP is supposed to handle routing to residential consumer networks. I have seen suggestions of running RIPng. The thought of letting Belkin routers (if you can call them that) into the routing table scares me no end. Is this way easier than I think it is? Did somebody already write the book that I can't find? -- Mark Radabaugh Amplex mark@amplex.net 419.837.5015
On 12/04/2010 07:40 PM, Mark Radabaugh wrote:
Probably a case of something being blindingly obvious but...
I have seen plenty of information on IPv6 from a internal network standpoint. I have seen very little with respect to how a ISP is supposed to handle routing to residential consumer networks. I have seen suggestions of running RIPng. The thought of letting Belkin routers (if you can call them that) into the routing table scares me no end.
Here here! This cheap consumer junk is KILLING the internet, you can't trust any of this garbage for 5 damn seconds, let alone actually configure any moderately advanced setup and expect them to keep operating for any length of time.
Is this way easier than I think it is? Did somebody already write the book that I can't find?
I'd love to see it too. We're a small ISP and just keeping the business going is hard enough without having to learn the entire v6 protocol suite, we need more help otherwise we're likely to just keep putting it off. Mike
On Sat, Dec 4, 2010 at 22:40, Mark Radabaugh <mark@amplex.net> wrote:
Probably a case of something being blindingly obvious but...
I have seen plenty of information on IPv6 from a internal network standpoint. I have seen very little with respect to how a ISP is supposed to handle routing to residential consumer networks. I have seen suggestions of running RIPng. The thought of letting Belkin routers (if you can call them that) into the routing table scares me no end.
Is this way easier than I think it is? Did somebody already write the book that I can't find?
DHCPv6-PD (prefix delegation) with the relay installing static routes is probably the most straightforward way. Letting home CPE participate in routing does indeed seem like bad idea; I haven't heard that seriously suggested before. -Ben
On 12/4/10 10:52 PM, Ben Jencks wrote:
On Sat, Dec 4, 2010 at 22:40, Mark Radabaugh<mark@amplex.net> wrote:
Probably a case of something being blindingly obvious but...
I have seen plenty of information on IPv6 from a internal network standpoint. I have seen very little with respect to how a ISP is supposed to handle routing to residential consumer networks. I have seen suggestions of running RIPng. The thought of letting Belkin routers (if you can call them that) into the routing table scares me no end.
Is this way easier than I think it is? Did somebody already write the book that I can't find? DHCPv6-PD (prefix delegation) with the relay installing static routes is probably the most straightforward way. Letting home CPE participate in routing does indeed seem like bad idea; I haven't heard that seriously suggested before.
-Ben I had found the documentation on DHCPv6-PD but didn't see the mechanism for getting the assigned prefixes into the router.
Mark
On 05/12/2010, at 2:29 PM, Mark Radabaugh wrote:
On 12/4/10 10:52 PM, Ben Jencks wrote:
On Sat, Dec 4, 2010 at 22:40, Mark Radabaugh<mark@amplex.net> wrote:
Probably a case of something being blindingly obvious but...
I have seen plenty of information on IPv6 from a internal network standpoint. I have seen very little with respect to how a ISP is supposed to handle routing to residential consumer networks. I have seen suggestions of running RIPng. The thought of letting Belkin routers (if you can call them that) into the routing table scares me no end.
Is this way easier than I think it is? Did somebody already write the book that I can't find? DHCPv6-PD (prefix delegation) with the relay installing static routes is probably the most straightforward way. Letting home CPE participate in routing does indeed seem like bad idea; I haven't heard that seriously suggested before.
-Ben I had found the documentation on DHCPv6-PD but didn't see the mechanism for getting the assigned prefixes into the router.
RADIUS. When your session comes up you get, in our trial (http://ipv6.internode.on.net) a /64 assigned to your PPP interface. You can choose to send an RA and assigned your router an IP in this or not. Otherwise your router sends a DHCPv6 PD request to our BRAS. Our BRAS knows who you are and does a radius request. Our RADIUS server sends back either a pool name or a static /60 (for the trial) which then gets routed to your interface. You then assign internally as required. MMC
On Sat, Dec 4, 2010 at 19:52, Ben Jencks <ben@bjencks.net> wrote:
DHCPv6-PD (prefix delegation) with the relay installing static routes is probably the most straightforward way.
Apparently that has it's own problems right now actually: http://blog.ioshints.info/2010/10/dhcpv6-relaying-another-trouble-spot.html
Letting home CPE participate in routing does indeed seem like bad idea; I haven't heard that seriously suggested before.
I guess "Comcast Business Class" cable service isn't necessarily considered home service, but I wouldn't call it a dedicated bandwidth contract either. The CPE that they use (SMCD3G or similar) actually does this for v4, that is if you purchase a "Static IP Block" from them, they actually use RIPv2 to send your prefix (usually a /27 or longer) to the headend. Obviously authentication is used and the CPE firmware prevents the end user from tampering with any part of the RIP configuration, but the point is that RIP actually is used at a large scale for this purpose. -Bill
In article <xs4all.AANLkTin5aOQKLbiXfN9ELNpoDLBCDxn1E0ATi7wbU_XA@mail.gmail.com> you write:
On Sat, Dec 4, 2010 at 19:52, Ben Jencks <ben@bjencks.net> wrote:
DHCPv6-PD (prefix delegation) with the relay installing static routes is probably the most straightforward way.
Apparently that has it's own problems right now actually: http://blog.ioshints.info/2010/10/dhcpv6-relaying-another-trouble-spot.html
Well, the problem described there is exactly the same problem that already exists with plain IPv4 DHCP (a pity that FORCERENEW (rfc3203) or something like it never took off). If you use PPPoA/PPPoE/PPPoX with DHCPv6 PD, the problem described there doesn't exist if your CPE is at least halfway intelligent .. it should ofcourse do a new lease request (at least a renewal) after a PPP reconnect. Mike.
On 06/12/2010, at 6:54 AM, Bill Fehring wrote:
Apparently that has it's own problems right now actually: http://blog.ioshints.info/2010/10/dhcpv6-relaying-another-trouble-spot.html
In our deployment mode, the CEs are running PPP sessions to the BRAS, so they know when it reboots and can respond accordingly. Layer 3 access networks could conceivably have an issue here, though. It's almost as if everyone ought to have been working on this a decade ago so that we'd have a workable solution by now! :-) - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
On Sat, 04 Dec 2010 22:40:50 -0500 Mark Radabaugh <mark@amplex.net> wrote:
Probably a case of something being blindingly obvious but...
I have seen plenty of information on IPv6 from a internal network standpoint. I have seen very little with respect to how a ISP is supposed to handle routing to residential consumer networks. I have seen suggestions of running RIPng. The thought of letting Belkin routers (if you can call them that) into the routing table scares me no end.
Is this way easier than I think it is? Did somebody already write the book that I can't find?
"Deploying IPv6"
-- Mark Radabaugh Amplex
mark@amplex.net 419.837.5015
On Sat, 04 Dec 2010 22:40:50 -0500 Mark Radabaugh <mark@amplex.net> wrote:
Probably a case of something being blindingly obvious but...
I have seen plenty of information on IPv6 from a internal network standpoint. I have seen very little with respect to how a ISP is supposed to handle routing to residential consumer networks. I have seen suggestions of running RIPng. The thought of letting Belkin routers (if you can call them that) into the routing table scares me no end.
Is this way easier than I think it is? Did somebody already write the book that I can't find?
Make that "Deploying IPv6 Networks" http://www.ciscopress.com/bookstore/product.asp?isbn=1587052105
-- Mark Radabaugh Amplex
mark@amplex.net 419.837.5015
On Sat, Dec 4, 2010 at 9:40 PM, Mark Radabaugh <mark@amplex.net> wrote:
of running RIPng. The thought of letting Belkin routers (if you can call them that) into the routing table scares me no end.
I think that indeed looks scary. I wouldn't be too concerned about the Belkin routers. How many SP routers are really designed to deal with mass numbers of RIP adjacencies? RIPng sounds like a plan to deploy 2 or 3 IPv6 end networks, not really better than static manual configuration, and with significant disadvantages. So I would suggest static manual configuration of the port on routers facing the CPE, no RIPng. If there are routes to be exchanged with a downstream user, use a proper EGP as one would the IPv4. Use a CPE of a type that scripts can be written to configure, for large scale deployments. If there is an inexpensive CPE with an implementation of DHCPv6 PD that works without issues, I would love to hear about who makes it, and what the device is...
Is this way easier than I think it is? Did somebody already write the book that I can't find?
-- -JH
In article <xs4all.AANLkTikm-=0xT8kJV0_0GbC7FZXofOBn+Fh8oiL6VjuQ@mail.gmail.com> you write:
If there is an inexpensive CPE with an implementation of DHCPv6 PD that works without issues, I would love to hear about who makes it, and what the device is...
AVM Fritzbox 7270/7340/7390 Draytek Vigor 2130/2750 Those are the ones I tested, there are lots more, but according to http://www.getipv6.info/index.php/Broadband_CPE: "To date, there is not one complete implementation of IPv6 on a residential consumer-grade xDSL modem available in North America." Mike (using native IPv6 over PPPoA + DHCPv6 PD over ADSL).
On 5 dec 2010, at 23:19, Miquel van Smoorenburg wrote:
In article <xs4all.AANLkTikm-=0xT8kJV0_0GbC7FZXofOBn+Fh8oiL6VjuQ@mail.gmail.com> you write:
If there is an inexpensive CPE with an implementation of DHCPv6 PD that works without issues, I would love to hear about who makes it, and what the device is...
AVM Fritzbox 7270/7340/7390 Draytek Vigor 2130/2750
Those are the ones I tested, there are lots more, but according to http://www.getipv6.info/index.php/Broadband_CPE: "To date, there is not one complete implementation of IPv6 on a residential consumer-grade xDSL modem available in North America."
Another list of pointers can be found at http://labs.ripe.net/Members/mirjam/ipv6-cpe-surveys/. Feedback on how these boxes do in a real environment are welcome as thers is still a lot of beta, unfinished implementations, bugs and vapourware around these days. Marco
On Dec 5, 2010, at 1:32 PM, James Hess wrote:
On Sat, Dec 4, 2010 at 9:40 PM, Mark Radabaugh <mark@amplex.net> wrote:
of running RIPng. The thought of letting Belkin routers (if you can call them that) into the routing table scares me no end.
I think that indeed looks scary. I wouldn't be too concerned about the Belkin routers. How many SP routers are really designed to deal with mass numbers of RIP adjacencies?
RIP doesn't have adjacencies, per se. It's basically a stateless broadcast based protocol. As such, the number of routers really has no major impact other than the traffic level generated by all those broadcasts. Owen
On Saturday, 4 December 2010 at K:40:50 -0500, Mark Radabaugh wrote:
Probably a case of something being blindingly obvious but...
I have seen plenty of information on IPv6 from a internal network standpoint. I have seen very little with respect to how a ISP is supposed to handle routing to residential consumer networks. I have seen suggestions of running RIPng. The thought of letting Belkin routers (if you can call them that) into the routing table scares me no end.
Is this way easier than I think it is? Did somebody already write the book that I can't find?
-- Mark Radabaugh Amplex
mark@amplex.net 419.837.5015
---end quoted text--- I found the following very helpful, Hardest thing for me was nailing DHCPv6-PD without an DHCP server :) Deploying IPv6 in Broadband Access Networks By: Adeel Ahmed; Salman Asadullah Publisher: John Wiley & Sons Pub. Date: August 17, 2009 Print ISBN: 978-0-470-19338-9 Web ISBN: 0-470193-38-7 Deploying IPv6 Networks By: Ciprian Popoviciu; Eric Levy-Abegnoli; Patrick Grossetete Publisher: Cisco Press Pub. Date: February 10, 2006 Print ISBN-10: 1-58705-210-5 Print ISBN-13: 978-1-58705-210-1 -- Chris Nicholls Timico Network Operations chris@timico.net
On Dec 6, 2010, at 6:43 PM, Chris Nicholls wrote:
I found the following very helpful, Hardest thing for me was nailing DHCPv6-PD without an DHCP server :)
This is the best/most complete work on IPv6 security to date, IMHO: <http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
On Mon, Dec 6, 2010 at 5:27 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Dec 6, 2010, at 6:43 PM, Chris Nicholls wrote:
I found the following very helpful, Hardest thing for me was nailing DHCPv6-PD without an DHCP server :)
This is the best/most complete work on IPv6 security to date, IMHO:
<http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945>
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Sell your computer and buy a guitar.
Speaking of IPV6 security, is there any movement towards any open source IPV6 firewall solutions for the consumer / small business? Almost all the info I've managed to find to date indicates no support, nor any planned support in upcoming releases. Any info would be helpful. cheers Jeff
On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote:
Speaking of IPV6 security, is there any movement towards any open source IPV6 firewall solutions for the consumer / small business?
Almost all the info I've managed to find to date indicates no support, nor any planned support in upcoming releases.
Any info would be helpful.
Honestly (and I'm sure some IPv6 folks will want me injured as a result) there should be some '1918-like' space allocated for the corporate guys who "don't get it", so they can nat everyone through a single /128. It would make life easier for them and quite possibly be a large item in pushing ipv6 deployment in the enterprise. I don't see our corporate IT guys that number stuff in 1918 space wanting to put hosts on 'real' ips. The chances for unintended routing are enough to make them say that v6 is actually a security risk vs security enabler is my suspicion. - Jared
On Dec 6, 2010, at 6:55 AM, Jared Mauch wrote:
On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote:
Speaking of IPV6 security, is there any movement towards any open source IPV6 firewall solutions for the consumer / small business?
Almost all the info I've managed to find to date indicates no support, nor any planned support in upcoming releases.
Any info would be helpful.
Honestly (and I'm sure some IPv6 folks will want me injured as a result) there should be some '1918-like' space allocated for the corporate guys who "don't get it", so they can nat everyone through a single /128. It would make life easier for them and quite possibly be a large item in pushing ipv6 deployment in the enterprise.
Yes... Those of us who would like to see sanity return to the internet would prefer to have you lynched for such heresy. ;-) Seriously, though, you're welcome to use fd00::/8 for exactly that purpose. The problem is that you (and hopefully it stays this way) won't have much luck finding a vendor that will provide the NAT for you to do it with.
I don't see our corporate IT guys that number stuff in 1918 space wanting to put hosts on 'real' ips. The chances for unintended routing are enough to make them say that v6 is actually a security risk vs security enabler is my suspicion.
There are multiple easy ways to solve this problem that don't require the use of NAT or the damage that comes with it. First, let's clarify things a bit. I don't think unintended routing is what concerns your IT guys. Afterall, even with the NAT box today, there's routing from the outside to the inside. It's just controlled by stateful inspection. It's trivial to implement an IPv6 default-deny-inbound stateful inspection policy that provides exactly the same security model as is afforded by the current NAT box in IPv4 without mangling the packet headers. The rest is superstition. Admittedly, superstition is powerful among IT professionals, especially in the enterprise world. So strong that people on this very list who I generally respect and consider to be good competent professionals tell me that I'm flat out wrong about it. However, not one of them has been able to produce an argument that actually stands up to scrutiny. The closest they can come is what happens when someone misconfigures something. However, I've always been able to show that it's equally easy to make fatal misconfigurations on the NAT box with just as dire consequences. Owen
On 12/6/2010 9:07 AM, Owen DeLong wrote:
Seriously, though, you're welcome to use fd00::/8 for exactly that purpose. The problem is that you (and hopefully it stays this way) won't have much luck finding a vendor that will provide the NAT for you to do it with.
Corporate IT community *expects* a broken Internet. They aren't doing their jobs if they haven't broken everything and it's dog. Vendors will provide what their customers demand, so there will be NAT on the corporate firewalls. What I don't want to see is NAT on home routers.
There are multiple easy ways to solve this problem that don't require the use of NAT or the damage that comes with it.
Corporations thrive on damaging traffic, and many prefer NAT. Every instinct in their body screams that removing NAT is bad, and you won't win that argument.
First, let's clarify things a bit. I don't think unintended routing is what concerns your IT guys. Afterall, even with the NAT box today, there's routing from the outside to the inside. It's just controlled by stateful inspection.
1918 space generally isn't routed to their firewall from the outside, so some mistakes that leave the inside vulnerable are actually somewhat protected by using 1918 space which isn't routed. It's a limited scenario, but what every corp IT guy I know points to.
So strong that people on this very list who I generally respect and consider to be good competent professionals tell me that I'm flat out wrong about it.
It's not superstition that the IP addresses assigned to the inside aren't routed from the upstream to to outside interface of the firewall. ie, when NAT/SPI is broken, the traffic itself breaks, not a sudden "We are wide open!" event. This is not about *proper* security. It is about the extra gain when someone screws up and kills the firewall ruleset. In a 1 to 1 NAT environment, losing your SPI would be bad. In a 1 to N NAT environment, a majority of the machines can never be reached if the SPI/NAT engine dies (unless the upstream suddenly adds a 1918 route to reach them).
However, not one of them has been able to produce an argument that actually stands up to scrutiny. The closest they can come is what happens when someone misconfigures something. However, I've always been able to show that it's equally easy to make fatal misconfigurations on the NAT box with just as dire consequences.
It is possible, yes. However, in the case of an overloaded NAT without port forwarding, there is no way to reach the backend hosts unless the upstream adds a route to the 1918 space behind the firewall. This is what people object to. A single route. That's it. If NAT doesn't work, the route is required. Without NAT, if your SPI doesn't work, the route is already there and you may have defaulted open. So does NAT add to security? Yes; just not very much. It covers one condition; that is all. For that condition, you have a huge amount of service breakage. For a corporate network, this may be perfectly fine and acceptable. Jack
On Dec 6, 2010, at 10:49 PM, Jack Bates wrote:
So does NAT add to security? Yes; just not very much.
It adds nothing which can't be added in another, better way, and it subtracts a great deal in terms of instantiating unnecessary DoSable stateful chokepoints in the network, not to mention breaking traceback. NAT <> security. NAT is a net security negative. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
First, let's clarify things a bit. I don't think unintended routing is = what concerns your IT guys. Afterall, even with the NAT box today, there's routing from the outside to the inside. It's just = controlled by stateful inspection.
It might be better stated differently. With NAT, routing from the outside to the inside is controlled by stateful inspection and also by internal policy. In what we usually mean as IPv4 NAT in today's usage, there is not supposed to be a way for an outside attacker to target a particular inside destination, even if its address were known. 1918 space isn't globally routed and the "real" external IP address is the only thing your firewall has to go on; internal policy controls what happens to unsolicited traffic. With IPv6 and a stateful firewall, an outside attacker gains the ability to address devices within your network, even if he is unable to actually cause packets to arrive at that target thanks to your firewall. There's a fundamental difference here that scares some people. They fear an inadvertent dropping of their stateful firewall ruleset, for example, or maybe even bypassing of the firewall through misconfig or other perils at the network level. You won't make much progress on these fears because there's genuinely something to them. What we really need are killer IPv6 apps that can't easily be NAT'd. :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On 6 Dec 2010, at 11:07 PM, Owen DeLong wrote:
On Dec 6, 2010, at 6:55 AM, Jared Mauch wrote:
On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote:
Speaking of IPV6 security, is there any movement towards any open source IPV6 firewall solutions for the consumer / small business?
Almost all the info I've managed to find to date indicates no support, nor any planned support in upcoming releases.
Any info would be helpful.
Honestly (and I'm sure some IPv6 folks will want me injured as a result) there should be some '1918-like' space allocated for the corporate guys who "don't get it", so they can nat everyone through a single /128. It would make life easier for them and quite possibly be a large item in pushing ipv6 deployment in the enterprise.
Yes... Those of us who would like to see sanity return to the internet would prefer to have you lynched for such heresy. ;-)
Seriously, though, you're welcome to use fd00::/8 for exactly that purpose. The problem is that you (and hopefully it stays this way) won't have much luck finding a vendor that will provide the NAT for you to do it with.
You can of course use Unique Local IPv6 Unicast Addresses internally. (RFC 4193). And if you wanted you could NAT66. But, this is not an ideal way to design a network. The benefit of RFC1918 addresses is that you can easily know the perimeter of your global reachability. You can achieve the same with public IPv6 by *knowing* your security policy. Public addresses on internal infrastructure are quite normal.
I don't see our corporate IT guys that number stuff in 1918 space wanting to put hosts on 'real' ips. The chances for unintended routing are enough to make them say that v6 is actually a security risk vs security enabler is my suspicion.
There are multiple easy ways to solve this problem that don't require the use of NAT or the damage that comes with it.
First, let's clarify things a bit. I don't think unintended routing is what concerns your IT guys. Afterall, even with the NAT box today, there's routing from the outside to the inside. It's just controlled by stateful inspection.
It's trivial to implement an IPv6 default-deny-inbound stateful inspection policy that provides exactly the same security model as is afforded by the current NAT box in IPv4 without mangling the packet headers. The rest is superstition. Admittedly, superstition is powerful among IT professionals, especially in the enterprise world. So strong that people on this very list who I generally respect and consider to be good competent professionals tell me that I'm flat out wrong about it.
However, not one of them has been able to produce an argument that actually stands up to scrutiny. The closest they can come is what happens when someone misconfigures something. However, I've always been able to show that it's equally easy to make fatal misconfigurations on the NAT box with just as dire consequences.
Owen
I agree with Owen. You could NAT66, but seriously, why bother with all that headache in implementing v6 on your hosts and then putting all sessions through NAT. IPv6 security policy would be more explicit security than a NAT perimeter. Truman
On Mon, 6 Dec 2010, Owen DeLong wrote:
Seriously, though, you're welcome to use fd00::/8 for exactly that purpose. The problem is that you (and hopefully it stays this way) won't have much luck finding a vendor that will provide the NAT for you to do it with.
[with my flame-retardant hat installed firmly] So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the use of RFC1918 space? Admitedly, it's been a year or two since I last had to engineer around that particular set of rules...but it's life or death for a lot of folks. -- david raistrick http://www.netmeister.org/news/learn2quote.html drais@icantclick.org http://www.expita.com/nomime.html
On Tue, Dec 07, 2010 at 08:18:31AM -0500, david raistrick wrote:
On Mon, 6 Dec 2010, Owen DeLong wrote:
Seriously, though, you're welcome to use fd00::/8 for exactly that purpose. The problem is that you (and hopefully it stays this way) won't have much luck finding a vendor that will provide the NAT for you to do it with.
[with my flame-retardant hat installed firmly]
So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the use of RFC1918 space? Admitedly, it's been a year or two since I last had to engineer around that particular set of rules...but it's life or death for a lot of folks.
Simple. Use RFC1918 IPv4 along side global IPv6 addresses. Done :-)
On Dec 7, 2010, at 6:05 AM, Chuck Anderson wrote:
On Tue, Dec 07, 2010 at 08:18:31AM -0500, david raistrick wrote:
On Mon, 6 Dec 2010, Owen DeLong wrote:
Seriously, though, you're welcome to use fd00::/8 for exactly that purpose. The problem is that you (and hopefully it stays this way) won't have much luck finding a vendor that will provide the NAT for you to do it with.
[with my flame-retardant hat installed firmly]
So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the use of RFC1918 space? Admitedly, it's been a year or two since I last had to engineer around that particular set of rules...but it's life or death for a lot of folks.
Simple. Use RFC1918 IPv4 along side global IPv6 addresses. Done :-)
1. PCI allows for equivalent effective security. IPv6 privacy addresses actually meet that test, among other possible solutions. 2. I believe there is work underway to correct some of the specious requirements in PCI DSS, among which this is one. Owen
On 12/7/10 5:18 AM, david raistrick wrote:
On Mon, 6 Dec 2010, Owen DeLong wrote:
Seriously, though, you're welcome to use fd00::/8 for exactly that purpose. The problem is that you (and hopefully it stays this way) won't have much luck finding a vendor that will provide the NAT for you to do it with.
[with my flame-retardant hat installed firmly]
So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the use of RFC1918 space? Admitedly, it's been a year or two since I last had to engineer around that particular set of rules...but it's life or death for a lot of folks.
Document a compensating control... That particular case is trivial to demonstrate that the in scope addresses are not exposed to the internet.
-- david raistrick http://www.netmeister.org/news/learn2quote.html drais@icantclick.org http://www.expita.com/nomime.html
On 12/6/10 6:55 AM, Jared Mauch wrote:
On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote:
Speaking of IPV6 security, is there any movement towards any open source IPV6 firewall solutions for the consumer / small business?
Almost all the info I've managed to find to date indicates no support, nor any planned support in upcoming releases.
Any info would be helpful.
Honestly (and I'm sure some IPv6 folks will want me injured as a result) there should be some '1918-like' space allocated for the corporate guys who "don't get it", so they can nat everyone through a single /128. It would make life easier for them and quite possibly be a large item in pushing ipv6 deployment in the enterprise.
There's literally not to prevent them from doing that today. there's a /8 of ual-l and nat66 implementations exist.
I don't see our corporate IT guys that number stuff in 1918 space wanting to put hosts on 'real' ips. The chances for unintended routing are enough to make them say that v6 is actually a security risk vs security enabler is my suspicion.
the chances of unitended routing with overlapping rfc-1918 domains and a bit of 2547 vpn in the mix are non trivial... Using GUA ipv6 space there's at least some chance that I'll actually see the leak and interpret it as such rather than wondering why my packets are going into a black hole or being discarded as out of state becuase they come back on a different VRF than they go out on.
- Jared
On 12/6/10 5:35 AM, Jeff Johnstone wrote:
Speaking of IPV6 security, is there any movement towards any open source IPV6 firewall solutions for the consumer / small business?
Almost all the info I've managed to find to date indicates no support, nor any planned support in upcoming releases.
Any info would be helpful.
monowall and openwrt (both for embedded routers support v6 without drama.
cheers Jeff
Speaking of IPV6 security, is there any movement towards any open source IPV6 firewall solutions for the consumer / small business?
Almost all the info I've managed to find to date indicates no support, nor any planned support in upcoming releases.
Any info would be helpful.
monowall and openwrt (both for embedded routers support v6 without drama.
I believe Shorewall does too, now.
On Dec 9, 2010, at 9:39 PM, George Bonser wrote:
Speaking of IPV6 security, is there any movement towards any open source IPV6 firewall solutions for the consumer / small business?
Almost all the info I've managed to find to date indicates no support, nor any planned support in upcoming releases.
Any info would be helpful.
monowall and openwrt (both for embedded routers support v6 without drama.
I believe Shorewall does too, now.
FreeBSD w/ PF seems to work great as well. :-) -wil
On Dec 9, 2010, at 9:39 PM, George Bonser wrote:
Speaking of IPV6 security, is there any movement towards any open source IPV6 firewall solutions for the consumer / small business?
Almost all the info I've managed to find to date indicates no support, nor any planned support in upcoming releases.
Any info would be helpful. monowall and openwrt (both for embedded routers support v6 without drama. I believe Shorewall does too, now.
FreeBSD w/ PF seems to work great as well. :-) I'll second that; for 8-12 mbit with no vlans it even runs fine on a Soekris 4801 (I have 2 4801's and a 5500 (which has a fairly complicated internal vlan-based network and a 20meg external connection) doing normal nat + HE tunnel to native v6 internally. Since my boss got win7 going there is plenty of exercise for the v6 path. I suspect the OP wants a consumer-level gui though, which plain fbsd doesn't do, and
On 12/10/2010 12:52 AM, Wil Schultz wrote: there are some tricky parts to v6 pf configuration to handle ra and ndp (which I hope will get documented someday - 2 extra pass rules that you wouldn't expect to need). One of these days we will get native v6 coming in (hint, comcast :-) -- Pete
-wil
participants (24)
-
Ben Jencks
-
Bill Fehring
-
Chris Nicholls
-
Chuck Anderson
-
david raistrick
-
Dobbins, Roland
-
George Bonser
-
Jack Bates
-
James Hess
-
Jared Mauch
-
Jeff Johnstone
-
Joe Greco
-
Joel Jaeggli
-
MarcoH - lists
-
Mark Newton
-
Mark Radabaugh
-
Mark Smith
-
Matthew Moyle-Croft
-
Mike
-
Miquel van Smoorenburg
-
Owen DeLong
-
Pete Carah
-
Truman Boyes
-
Wil Schultz