The Choice: IPv4 Exhaustion or Transition to IPv6

Simon Leinen simon.leinen at switch.ch
Fri Jun 29 18:43:28 UTC 2007


Steven M Bellovin writes:
> I'll give just example, using your suggestion of converting DMZ: how
> do you keep your firewall rules consistent between v4 and v6
> addresses and prefixes?

This is indeed a major issue in our (internal) dual-stack deployment.
Our firewall rules (actually just stateless ACLs on our data-center
routers) are generated from high-level rules, but the generator can
only generate IPv4 ACLs.  Since we failed to convince the responsible
team to add IPv6 ACL generation, we wrote a script that converts IPv4
ACLs into IPv6 ACLs.  The script extracts the IPv4->IPv6 address
mapping from router configurations (for subnets), the DNS (for hosts),
and itself (hardcoded exceptions)-: Works surprisingly well.

> This involves vendor technology (the firewall box), communication
> with your ISP (handling prefix changes), local technology (you do
> have a change control process for firewall rules, right, and perhaps
> a database of machines and addresses?), and training.

But those are all issues that have to be addressed whether you are
dual-stack or not.

Our current mechanism (while a hack) is pretty transparent - the
firewall rule update procedure is the same from the points of view of
both the ruleset producers (security team) and consumers (who install
the rules on the routers).  It's just that the change reports now
include IPv6 ACL changes.  (Actually, the IPv6 ACLs don't "diff" as
nicely as the IPv4 ones, because of an implementation shortcoming in
our routers.)

> It may also involve upgrading some of the servers because of the
> rapid changes in v6 support.  (I'll cite a personal example: I
> upgraded the OS on a machine of mine recently, and found that my
> mailing lists weren't working.  Why?  Because the version of Postfix
> had been changed to one with v6 support, and I had to specify v6
> loopback addresses in some mysterious place.)

This is typical for the kind of problems you will encounter when going
dual-stack.

> That's not to say this is an excuse for delay.  Converting is going to
> get harder when you acquire more gear, not easier.

Right, but it's going to become easier as there are more (early)
adopters that help iron out these issues for the community.
-- 
Simon.



More information about the NANOG mailing list