/27 the new /24
Stephen Satchell
list at satchell.net
Sun Oct 4 14:49:00 UTC 2015
On 10/04/2015 06:40 AM, Matthias Leisi wrote:
> Fully agree. But the current state of IPv6 outside "professional“
> networks/devices is sincerely limited by a lot of poor CPE and
> consumer device implementations.
I have to ask: where is the book _IPv6 for Dummies_ or equivalent?
Specifically, is
http://www.xnetworks.es/contents/Infoblox/IPv6forDummies.pdf any good?
(I just downloaded it to inspect.)
My bookshelf is full of books describing IPv4. Saying "IPv6 just works"
ignores the issues of configuring intelligent firewalls to block the
ne-er-do-wells using the new IP-level protocol.
In Robert L. Ziegler's book _Linux Firewalls_ Second Edition (2002, ISBN
0-7357-1099-6), the *only* mention of IPv6 is in the discussion of NAT,
and that discussion is limited to "NAT is a stopgap until IPv6 achieves
wide implementation. A preview of the Third Edition fails to mention
ip6tables at all, the same lack that the Second Edition has.
I use CentOS, the community version of Red Hat Enterprise. I looked
around for useful books on building IPv6 firewalls with the same
granularity as the above-mentioned book for IPv4, and haven't found
anything useful as yet. In particular, I'm looking for material that
lays out how to build a mostly-closed firewall and DMZ in IPv6. The
lack of IPv6 support goes further: I didn't find anything useful in Red
Hat (CentOS) firewall tools that provides IPv6 support...but that's
probably because I don't know what I'm looking for. (Also, that GUI
software is intended for use on individual servers/computers, not in a
edge-firewall with forwarding and DMZ responsibilities.)
Building a secure firewall takes more than just knowing how to issue
ip6table commands; one also needs to know exactly what goes into those
commands. NANOG concentrates on network operators who need to provide a
good Internet experience to all their downstream customers, which is why
I see the bias toward openness...as it should be. Those of us who run
edge networks have different problems to solve.
I'm not asking NANOG to go past its charter, but I am asking the IPv6
fanatics on this mailing list to recognize that, even though the net
itself may be running IPv6, the support and education infrastructure is
still behind the curve. Reading RFCs is good, reading man pages is
good, but there is no guidance about how to implement end-network
policies in the wild yet...at least not that I've been able to find.
"ipv6.disable" will be changed to zero when I know how to set the
firewall to implement the policies I need to keep other edge networks
from disrupting mine.
More information about the NANOG
mailing list