/27 the new /24

Stephen Satchell list at satchell.net
Sun Oct 4 14:49:00 UTC 2015

On 10/04/2015 06:40 AM, Matthias Leisi wrote:
> Fully agree. But the current state of IPv6 outside "professional“
> networks/devices is sincerely limited by a lot of poor CPE and
> consumer device implementations.

I have to ask:  where is the book _IPv6 for Dummies_ or equivalent?

Specifically, is 
http://www.xnetworks.es/contents/Infoblox/IPv6forDummies.pdf any good? 
(I just downloaded it to inspect.)

My bookshelf is full of books describing IPv4.  Saying "IPv6 just works" 
ignores the issues of configuring intelligent firewalls to block the 
ne-er-do-wells using the new IP-level protocol.

In Robert L. Ziegler's book _Linux Firewalls_ Second Edition (2002, ISBN 
0-7357-1099-6), the *only* mention of IPv6 is in the discussion of NAT, 
and that discussion is limited to "NAT is a stopgap until IPv6 achieves 
wide implementation.  A preview of the Third Edition fails to mention 
ip6tables at all, the same lack that the Second Edition has.

I use CentOS, the community version of Red Hat Enterprise.  I looked 
around for useful books on building IPv6 firewalls with the same 
granularity as the above-mentioned book for IPv4, and haven't found 
anything useful as yet.  In particular, I'm looking for material that 
lays out how to build a mostly-closed firewall and DMZ in IPv6.  The 
lack of IPv6 support goes further:  I didn't find anything useful in Red 
Hat (CentOS) firewall tools that provides IPv6 support...but that's 
probably because I don't know what I'm looking for.  (Also, that GUI 
software is intended for use on individual servers/computers, not in a 
edge-firewall with forwarding and DMZ responsibilities.)

Building a secure firewall takes more than just knowing how to issue 
ip6table commands; one also needs to know exactly what goes into those 
commands.  NANOG concentrates on network operators who need to provide a 
good Internet experience to all their downstream customers, which is why 
I see the bias toward openness...as it should be.  Those of us who run 
edge networks have different problems to solve.

I'm not asking NANOG to go past its charter, but I am asking the IPv6 
fanatics on this mailing list to recognize that, even though the net 
itself may be running IPv6, the support and education infrastructure is 
still behind the curve.  Reading RFCs is good, reading man pages is 
good, but there is no guidance about how to implement end-network 
policies in the wild yet...at least not that I've been able to find.

"ipv6.disable" will be changed to zero when I know how to set the 
firewall to implement the policies I need to keep other edge networks 
from disrupting mine.

More information about the NANOG mailing list