{"id":972,"date":"2012-09-25T00:00:29","date_gmt":"2012-09-25T04:00:29","guid":{"rendered":"http:\/\/jlg.name\/blog\/?p=972"},"modified":"2013-09-01T23:29:01","modified_gmt":"2013-09-02T03:29:01","slug":"better-living-through-ipv6-istry","status":"publish","type":"post","link":"http:\/\/jlg.name\/blog\/2012\/09\/better-living-through-ipv6-istry\/","title":{"rendered":"Better living through IPv6-istry"},"content":{"rendered":"

There have been many, many words written about the IPv4-to-IPv6 transition \u2014 probably around 340 undecillion words at this point \u2014 but perhaps my favorite words came in\u00a0a recent Slashdot comment<\/a>\u00a0by AliasMarlowe:<\/p>\n

I believe in the incremental approach to updates; it\u2019s so much safer and usually easier.
\nSo it\u2019s going to be IPv5 for me, while you suckers make a mess of IPv6!<\/p><\/blockquote>\n

I\u2019ve long been a fan of IPv6.\u00a0 Deploying IPv6 has the obvious benefit of solving the\u00a0IPv4 address exhaustion problem<\/a>, as well as making it easier to do\u00a0local subnetting<\/a>, and\u00a0site network architecture<\/a>, and to some degree\u00a0internet-scale routing<\/a>.<\/p>\n

But perhaps the greatest benefit of deploying IPv6 is the\u00a0restoration of end-to-end transparency<\/a>.\u00a0 IPv6 obviates the need for network address translation (NAT).\u00a0 With IPv6, when your Skype application wants to initiate a call to my Skype application, the apps can address each other\u00a0directly<\/em>\u00a0without relying on\u00a0hole punching<\/a>, third-party relaying, or other \u201cclever\u201d NAT-circumvention techniques.<\/p>\n

(End-to-end addressing<\/a>\u00a0may sound unimportant, but if we could restore this critical Internet design goal to practice then we could party like it\u2019s 1979!)<\/p>\n

I recently spoke with some of TCS\u2019s\u00a0computer network operations<\/a>\u00a0students about security considerations for IPv6 deployments.\u00a0 They were surprised when I claimed that NAT is not needed in an IPv6 security plan; several students commented that the NAT on their home network router was the only thing protecting their computers from the evils of the Internet.<\/p>\n

A common misperception!\u00a0 There are generally two functions performed by your home network router (or your corporate upstream router, if so configured):<\/p>\n

    \n
  1. Firewalling \/ stateful packet inspection<\/a>.<\/strong>\u00a0 This is a security function.<\/li>\n
  2. IP masquerading \/ network address [and port] translation<\/a>.<\/strong>\u00a0 This is\u00a0not<\/em>\u00a0a security function; it simply allows all the devices on your internal network to share a single external network (IP) address.<\/li>\n<\/ol>\n

    With IPv6 you can (and should) still deploy inline firewall appliances to perform function #1.\u00a0 But with the plethora of available addresses in IPv6 \u2014 18,446,744,073,709,551,616 globally routable addresses per standard local subnet \u2014 there is no overt need for masquerading.<\/p>\n

    Of course, masquerading provides ancillary benefits:\u00a0 It somewhat hinders external traffic analysis, such as network mapping, by obfuscating the internal source and destination of traffic.\u00a0 Combining masquerading with private IPv4 addressing also prevents internal addresses from being externally routable.<\/p>\n

    But similar benefits can be realized in IPv6 without masquerading and therefore without losing the benefits of end-to-end transparency.\u00a0 For example\u00a0IPv6 privacy extensions<\/a>\u00a0can obfuscate your internal network architecture and\u00a0IPv6 unique local addresses<\/a>\u00a0can be used to isolate systems that shouldn\u2019t be visible on external networks.<\/p>\n","protected":false},"excerpt":{"rendered":"

    There have been many, many words written about the IPv4-to-IPv6 transition \u2014 probably around 340 undecillion words at this point \u2014 but perhaps my favorite words came in\u00a0a recent Slashdot comment\u00a0by AliasMarlowe: I believe in the incremental approach to updates; it\u2019s so much safer and usually easier. So it\u2019s going to be IPv5 for me, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,7],"tags":[],"_links":{"self":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/972"}],"collection":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/comments?post=972"}],"version-history":[{"count":1,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/972\/revisions"}],"predecessor-version":[{"id":973,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/972\/revisions\/973"}],"wp:attachment":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/media?parent=972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/categories?post=972"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/tags?post=972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}