IPv6 uptake

• Previous message (by thread): IPv6 uptake
• Next message (by thread): [External] Re: IPv6 uptake
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

" In IPv6's default operation, if Joe has two connections then each of 
his computers has two IPv6 addresses and two default routes. If one 
connection goes down, one of the routes and sets of IP addresses goes 
away." 


This sounds like a disaster. 



----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "William Herrin" <bill at herrin.us> 
To: "Mike Hammett" <nanog at ics-il.net> 
Cc: nanog at nanog.org 
Sent: Monday, February 19, 2024 9:16:52 AM 
Subject: Re: IPv6 uptake 

On Mon, Feb 19, 2024 at 6:52 AM Mike Hammett <nanog at ics-il.net> wrote: 
> "We can seriously lose NAT for v6 and not lose 
> anything of worth." 
> 
> I'm not going to participate in the security conversation, but we 
> do absolutely need something to fill the role of NAT in v6. If it's 
> already there or not, I don't know. Use case: Joe's Taco Shop. 
> Joe doesn't want a down Internet connection to prevent 
> transactions from completing, so he purchases two diverse 
> broadband connections, say a cable connection and a DSL connection. 

Hi Mike, 

In IPv6's default operation, if Joe has two connections then each of 
his computers has two IPv6 addresses and two default routes. If one 
connection goes down, one of the routes and sets of IP addresses goes 
away. 

Network security for that scenario is, of course, challenging. There's 
a longer list of security-impacting things that can go wrong than with 
the IPv4 NAT + dual ISP scenario. 

There's also the double-ISP loss scenario that causes Joe to lose all 
global-scope IP addresses. He can overcome that by deploying ULA 
addresses (a third set of IPv6 addresses) on the internal hosts, but 
convincing the internal network protocols to stay on the ULA addresses 
is wonky too. 

There's also 1:1 NAT where Joe can just use ULA addresses internally 
and have the firewall translate into the address block of the active 
ISP. However, because this provides a full map between every internal 
address, protocol and port to external addresses and ports (the entire 
internal network is addressible from outside), it has no positive 
impact on security the way IPv4's address-overloaded NAT does. 

Regards, 
Bill Herrin 

-- 
William Herrin 
bill at herrin.us 
https://bill.herrin.us/ 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20240219/976b8123/attachment.html>

• Previous message (by thread): IPv6 uptake
• Next message (by thread): [External] Re: IPv6 uptake
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]