[olug] Ipv6 help/pointers

DYNATRON tech dynatron at gmail.com
Thu Jul 25 17:31:23 UTC 2013


the NAT issue is the reason i disable IPV6 on everything. i may be
paranoid or ignorant, but it seems to me that IPV6 creates many
problems from a security standpoint. for 10 years i've been hearing
about how the world will run out of IP addresses soon, and for 10
years, it hasn't happened yet...thanks to NAT.

i can see some situations where IPV6 could be useful, but i'm going to
disable it until my ISP refuses to give me an IPV4 public address.

On 7/24/13, Lou Duchez <lou at paprikash.com> wrote:
> On 7/24/2013 5:50 PM, Obi-Wan wrote:
>> On 07/24/2013 04:27 PM, Lou Duchez wrote:
>>> IPv6:
>>> your ISP won't be providing an IP address so much as a 64-bit network
>>> space
>>> router will not perform NAT -- 128-bit addresses contain enough
>>> information to be routable on both the private and public sides
>>> router will still perform most of its usual functions -- gateway,
>>> firewall, etc -- it just won't need NAT to perform them
>>
>> So does this mean that IPv6 CAN'T do NAT, even if you wanted to for
>> security obfuscation?  I'd really rather the rest of the world not
>> know anything about the internals of my home network.
>>
> As far as I know, IPv6 simply does not allow for NAT.  I can even
> "prove" it with Linux documentation:
>
> http://linux.die.net/man/8/ip6tables
>
> There are "filter" and "mangle" tables like in iptables, but not "nat";
> and the "masquerade" target no longer exists.
>
> I know what you mean about security concerns; I was pretty comfortable
> with the idea that it is physically impossible for traffic to get routed
> to some of the machines on my LAN.  Now it's not physically impossible,
> I just have to create a rule to prevent it ... that is a little less
> comforting.
>
> I also get the feeling, but I can't prove it, that ISPs are going to be
> dishing out static IPs (or rather static /64s) to all customers, rather
> than have a DHCP pool.  Since NAT will no longer be happening, just
> imagine the chaos if restarting your router meant getting a new /64:
> every device on your LAN would need to pick up that new /64, and you
> wouldn't be able to give your network printer a static IP any longer.
> (Actually you could -- there are classes of unroutable IPs -- but I'm
> guessing they're not going to be the typical solution.)
>
> And you know what else you won't be able to do?  Set up a network with
> two disparate gateways.
>
> All of which makes me think that some form of NAT will eventually get
> built into IPv6.
>
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



More information about the OLUG mailing list