Given that I haven't implemented IPv6 in the least, I probably shouldn't be wading into this discussion, but I've read a bit about it a bit. That may not mean so much, though...
So anyway, as I understand it, IPv6 addresses are all about the address prefix...and one of the prefixes is a link local prefix, which allows only communication with hosts on the local subnet. My assumptions have been that there will be a gateway firewall between the trusted network and the untrusted and/or DMZ networks with specific holes punched to allow permitted traffic, and everything else being blocked, by default. That does leave the possibility of a misconfiguration on the firewall, and since security in-depth is a way of life, only the internal hosts which need direct communication with the outside world will have IPs with routable prefixes. All non-hardened machines will only have a link-local IP (or have a secondary IP which is enterprise-specific and unroutable). Not every network can abide by an "ideal", where internal hosts need no communication with the outside world (Spacewalk / MS Update servers don't grow on trees, I suppose), but it seems that in a lot of the cases where extra security is encouraged, this would be a viable option. Like I said, though, I may have a significant misunderstanding of the situation, in which case, I welcome correction. --Matt On Wed, Mar 30, 2011 at 6:07 PM, Edward Ned Harvey <lop...@nedharvey.com> wrote: > Ok, that other thread got kind of out of control. So let's try this > question again, in a different way: > > Given: When using IPv6, some people will use NAT, others won't. Each > person can make their own decision. If you want to dispute that, please > start a new thread instead of this one. I've had that discussion here > before, and I'm done with it. > > Whether you NAT or NOT, most will agree it's a bad idea to expose your > toaster, watch, TV, laptop and everything to the unsolicited inbound traffic > from the wild wild web. > > Therefore, a stateful firewall packet filter at the perimeter is necessary > to block inbound unsolicited traffic. > > Therefore, p2p in general is broken. Unless.... > > Unless there is a protocol or solution of some sort, that allows internal > devices to reconfigure the perimeter firewall to allow the inbound traffic. > Such tasks are currently done via NAT-PMP and IGD, but those unfortunately > seem to be IPv4 only. So... What's the solution for IPv6? > > _______________________________________________ > Tech mailing list > Tech@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
