You wouldn't technically need to route then would you. If the ISP is assigning you basically a whole subnet on an interface on their "router", they'd do the routing for you, no? Theoretically you could put a switch on there and it would work, no? There'd be nothing to route, your default route would just be to the ISP. For businesses they may need routing but home users wouldn't.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
-
Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.
IPv6 kills NAT?
- Thread starter Red Squirrel
- Start date
Except it makes sense to keep local traffic local, otherwise both sides are exposed to increased liability. Plus you still have to enable dynamic filtering/firewalling, and it makes far more sense to have a bunch of discrete devices on-site ( home routers with light firewall duties ) than to have a monster firewalling device filtering several thousand connections at once.
Technically, no. You could just plug a switch into your ISP's equipment and have fun, but it's good to have that demarcation point between the ISP and your network. You need (or should have) something that has control over what traffic comes and goes.
Riley
Ever heard of RFC1918 ranges?
Point of NAT is also when two parties use the same network internally.
I'm not sure I understand your reference to RFC1918 in regards to what I said..
Don't get me wrong, there is absolutely a use for NAT in the current IPv4 world with the address shortage and connecting identically or overlapped networks scenario as you mentioned, but that should not ever happen with IPv6.
It's good that they did this, but I think the only reason to use it would be:
1) Testing
2) No external connectivity is required
Other than that, I can't think of any time to use this?
Riley
For sure, yeah. It's the same idea as an ISP giving you a /24 block. You can create a /30 between you and them and then SNAT the other addresses, or you could put a switch on there and just use your ISP for your routing.Practical, no, but theoretical. The only difference is more IPs with IPv6.
So with IPv6, your router would allow the NDP traffic through to get an IP from the ISP then or would you sort of configure a pool on the router and have it get them that way?
I just like to talk things through and explain them and get verification that I understand them.
Also, will there be such a thing as static and dynamic addresses? If you aren't doing DHCP, if you make them static, then NDP will just detect it's used, no? (I'm talking about global IPs, not private IPs)
Last edited:
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,217
Another thing too, say I rent a dedicated server somewhere or colocate, would I also get a full /64 to myself? So I could run a bunch of VMs in bridge mode or w/e network topology I decide and not have to buy multiple IPs? I'm kinda liking the idea of this if that's really how it will work.
You would get whatever you purchase from them. I imagine providers will be far more lenient about handing out larger ranges than they are now however. Currently ARIN wants paperwork for anything larger than a /29 to end users and a /22 for providers.
No, it wouldn't change anything. You can get many public IPs from your ISP at the moment if you wish. Their TOS, bandwidth limits, and data caps would all prohibit that.
i understand that, but i'm saying assuming they were to give a /64 for every house you could theoretically host a crap ton of websites for people yes? I would think at that point they would have to do something to say hey, this one IP is all that will be able to use port 80 or something?
There's no need. IPs in IPv6 land are not a scarce resource, so they won't care WHAT you use them for. You figure out how to assign your entire /46|/64, I don't think the ISP really cares.
What they DO care about is bandwidth. That doesn't change with ipv6. And they already have systems in place to monitor, so I imagine when IPv6 gets here you step over your "unlimited" allocation, and they'll let you know. Same goes for hosting illegal content, ect....None of that changes with IPv6.
A single IP can house countless websites (if you can go without SSL certificates). See: any shared hosting provider.
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,217
One thing I just thought of too, is rather than have internal DNS naming for internal stuff, you could actually use a public DNS, since the IP internally or externally is the same. So say you have a server you want to access from work, you'd just allow the IP through the firewall and the DNS hostname would work without VPN or anything fancy... assuming you don't care about encryption, and IP based authentication is good enough for you. (ex: the app has it's own encryption/authentication)
The big thing is though, the fact that ISPs will assign large blocks has to be standard. We all know ISPs will get greedy and decide to only give one IP and you have to pay extra for more. Just because these IPs are cheap to them does not mean they have to be cheap for us. Look at cell networks and the silly data caps.
The big thing is though, the fact that ISPs will assign large blocks has to be standard. We all know ISPs will get greedy and decide to only give one IP and you have to pay extra for more. Just because these IPs are cheap to them does not mean they have to be cheap for us. Look at cell networks and the silly data caps.
http://www.ripe.net/internet-coordination/press-centre/understanding-ip-addressing will give you some insight on how things are supposed to work related to IPv6 
Along with http://tools.ietf.org/html/rfc4291
I guess it will end up with:
/64: This is equal to the use of /32 in IPv4 world. This is the subnet each device (host) will get. Most likely what private customers will get from their ISPs aswell.
/56: This is equal to /24 in IPv4 world. Smaller companies or ISPs who cares about their private customers will give out these ranges for your internet connection.
/48 (and above): This is equal to a larger than /24 allocation in IPv4 world. Larger companies and others will get this of their ISPs.
But of course there will exist ISPs who will share /48 to their private customers aswell depending on how large block(s) they got on their own from ARIN/RIPE/etc. Along with companies who get their allocation straight of a LIR (or similar) to get a larger subnet than /48.
Since there are so many addresses you can use all kind of funny setups to make the addressing easier (not only DEAD:BEEF and such), like involve VLAN id's and similar (where if you do this in IPv4 you are limited to 256 VLANs per octet (or rather 254 because vlanid=0 doesnt really works and vlanid=1 shouldnt be used for various reasons)).
Also the 128 bits of IPv6 are divided into three parts:
Rightmost 64 bits: Interface address (here is the privacy issue as already mentioned where NAT can be handy).
Middle x bits: Subnet ID.
Leftmost bits: Global routing prefix.
Global routing prefix + Subnet ID = prefix.
The prefix the customer (no matter if you are a private customer or a larger company) will get from their ISP.
Along with http://tools.ietf.org/html/rfc4291
I guess it will end up with:
/64: This is equal to the use of /32 in IPv4 world. This is the subnet each device (host) will get. Most likely what private customers will get from their ISPs aswell.
/56: This is equal to /24 in IPv4 world. Smaller companies or ISPs who cares about their private customers will give out these ranges for your internet connection.
/48 (and above): This is equal to a larger than /24 allocation in IPv4 world. Larger companies and others will get this of their ISPs.
But of course there will exist ISPs who will share /48 to their private customers aswell depending on how large block(s) they got on their own from ARIN/RIPE/etc. Along with companies who get their allocation straight of a LIR (or similar) to get a larger subnet than /48.
Since there are so many addresses you can use all kind of funny setups to make the addressing easier (not only DEAD:BEEF and such), like involve VLAN id's and similar (where if you do this in IPv4 you are limited to 256 VLANs per octet (or rather 254 because vlanid=0 doesnt really works and vlanid=1 shouldnt be used for various reasons)).
Also the 128 bits of IPv6 are divided into three parts:
Rightmost 64 bits: Interface address (here is the privacy issue as already mentioned where NAT can be handy).
Middle x bits: Subnet ID.
Leftmost bits: Global routing prefix.
Global routing prefix + Subnet ID = prefix.
The prefix the customer (no matter if you are a private customer or a larger company) will get from their ISP.
You need to look up how DNS works. Little is changing relating to it between IPv4 and IPv6. Your ISP will not be delegating a zone to you. This would also require you to run a name server.
The cell phone example also doesn't work. Data caps and IP allocations cannot be compared.
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,217
I know the DNS protocol itself is not changing but with NAT, the IP is internal only, so to access it externally (leaving out VPN and other such solutions) the IP you use to access a server is the router's external IP, and not that individual server's IP. So you could not really have a global DNS name that works internally and externally, in a non VPN setup. If you have 5 different http servers internally you want to access online (again, without VPN) you would also need to use different ports on the external IP, as normally you only have one external IP. But if the IPs you get with ipv6 are global, then whether you are accessing it from within your home or outside, the IP will remain the same. This means you could put these IPs in your external DNS server. So ex: instead of using server1.local and that only works internally or through VPN you could actually use server1.int.mydomain.com where mydomain.com is a valid registered domain in which you control the DNS. I would not say it's a HUGE wow factor, but it is kinda neat that you could very easily do this. Of course it's probably not smart opening up all sorts of ports like that just because you can. You'd still want some form of VPN.
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,217
http://www.ripe.net/internet-coordination/press-centre/understanding-ip-addressing will give you some insight on how things are supposed to work related to IPv6
Along with http://tools.ietf.org/html/rfc4291
I guess it will end up with:
/64: This is equal to the use of /32 in IPv4 world. This is the subnet each device (host) will get. Most likely what private customers will get from their ISPs aswell.
/56: This is equal to /24 in IPv4 world. Smaller companies or ISPs who cares about their private customers will give out these ranges for your internet connection.
/48 (and above): This is equal to a larger than /24 allocation in IPv4 world. Larger companies and others will get this of their ISPs.
But of course there will exist ISPs who will share /48 to their private customers aswell depending on how large block(s) they got on their own from ARIN/RIPE/etc. Along with companies who get their allocation straight of a LIR (or similar) to get a larger subnet than /48.
Since there are so many addresses you can use all kind of funny setups to make the addressing easier (not only DEAD:BEEF and such), like involve VLAN id's and similar (where if you do this in IPv4 you are limited to 256 VLANs per octet (or rather 254 because vlanid=0 doesnt really works and vlanid=1 shouldnt be used for various reasons)).
Also the 128 bits of IPv6 are divided into three parts:
Rightmost 64 bits: Interface address (here is the privacy issue as already mentioned where NAT can be handy).
Middle x bits: Subnet ID.
Leftmost bits: Global routing prefix.
Global routing prefix + Subnet ID = prefix.
The prefix the customer (no matter if you are a private customer or a larger company) will get from their ISP.
If ISPs are truely forced to use this, then that's awesome. Screw having a /24 (10.x.x.x), I want /64
That isn't really anything new with IPv6. You can do that with IPv4 just fine. Just comes down to having multiple IPs. Any time you colocate a server for example, you can pretty much expect to get a /29 block (or larger).
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,217
True, but in a home environment you normally only have one IP unless you want to pay for it. It sounds like with IPv6 you will get a huge range without having to pay for each one as this is basically to replace private IPs which wont really be used given there's no NAT. Unless I'm understanding that part wrong.
- Joined
- Dec 24, 2008
- Messages
- 2,211
I have a question about getting assigned a block of ip's (this isn't really an ipv6 question, but it applies there too).
If an isp assigns you a block ip, it seems many of you are saying you can plug in a switch at that point and let the ISP do all of the routing, or you can plug in your own router and do it that way.
My question is if you plug in your own router, how does the ISP router know which router to send the traffic to in order to get to your block?
In other words, if you plug in just a switch and then end devices, does the ISP have an ip from your block assigned to it and does it just do regular ARP lookups and such to your end devices (if that is the case does that mean the ISP actually uses one of YOUR block ip's?).
If you plug in the router what ip do you assign it on the outside interface? Does the ISP give you a dedicated "transport" subnet that is /22.
I have a feeling the ISP gives you a dedicated transport subnet like a /22 but i'm not sure how this would work with plugging a switch in.
If an isp assigns you a block ip, it seems many of you are saying you can plug in a switch at that point and let the ISP do all of the routing, or you can plug in your own router and do it that way.
My question is if you plug in your own router, how does the ISP router know which router to send the traffic to in order to get to your block?
In other words, if you plug in just a switch and then end devices, does the ISP have an ip from your block assigned to it and does it just do regular ARP lookups and such to your end devices (if that is the case does that mean the ISP actually uses one of YOUR block ip's?).
If you plug in the router what ip do you assign it on the outside interface? Does the ISP give you a dedicated "transport" subnet that is /22.
I have a feeling the ISP gives you a dedicated transport subnet like a /22 but i'm not sure how this would work with plugging a switch in.
You will of course speak to your ISP.
Any sane ISP would use a RFC1918 range for the linknet between your equipment and their equipment. Then they will just route this block of addresses to your end of this linknet as nexthop.
For example, lets assume your ISP will give you x.x.x.0/24.
You and your ISP will then setup a linknet such as 10.0.0.0/30 (10.0.0.2 = isp, 10.0.0.1 = your box).
Your ISP will then have:
ip route x.x.x.0 255.255.255.0 10.0.0.1
and you will have:
ip route 0.0.0.0 0.0.0.0 10.0.0.2
Another option is if you use equipment that can function transparently at layer3, such as "virtual wire" or whatever your manufacturer calls it. Similar to how a switch works.
Edit: Similar applies to IPv6, there are dedicated linknet blocks one can use or use the ND feature of IPv6.
I'm really starting to understand this more now. My main concern is still whether ISPs will truely follow the /64 per user rule or not. The idea of true routing without NAT is kinda growing on me too. I kinda like the idea of letting the firewall do the work without worrying about port forwarding. Want to access a specific server in my house from work, just need to let my work IP access that server's IP. It's almost like having an extension of the internet in my house.
Current MSO practice is to allocate a /48 per customer network or at the very least a /56. Of course, larger advanced service customers can negotiate for more subnets if necessary.
Someone in the same segment as your public IP address can simply
Code:
route add <your internal LAN> <your public address>
- Joined
- Jun 27, 2001
- Messages
- 15,821
realistically I think most network admins are ignoring IPv6 and hoping it goes away, I know I am lol
s/network admins/endusers who have no business toying with the network/
Your ISP assigns you a /64, which is the smallest routable host in v6 space. You then get 64bits of address space for your local network, which you determine what to do with, and have the router forward packets. It's pretty simple.
Just as an FYI, most consumer grade routers do not support this, they simply aren't designed with this sort of functionality in mind.
Just as an FYI, most consumer grade routers do not support this, they simply aren't designed with this sort of functionality in mind.
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,217
I was thinking, does this also mean we will get static IPs by default? Since if I have a network with tons of machines that I set a static IP on, and the ISP range keeps changing then those IPs would no longer be routable right? Or would I actually be using some kind of 1:1 NAT where the IPs are actually using the private range and the router is just converting the ISP range to them?
I think the question is rather if any box you connect to your adslmodem (or whatever you have) will get ip's from the same /64 or not.
I guess that if DHCP6 is being used there is a great risk that you will get different /64's each time.
But if ND is being used I think its a higher probability that you have a /64 (or /56) statically assigned to the interface you are connected to at the ISP side (access network).
I guess that if DHCP6 is being used there is a great risk that you will get different /64's each time.
But if ND is being used I think its a higher probability that you have a /64 (or /56) statically assigned to the interface you are connected to at the ISP side (access network).
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,217
Yeah my point was if you staticly set IPs all around your network, then for some reason your modem gets turned off long enough and you get assigned another range, then you'd have to go around changing all the IPs to match the new range. Unless all ISPs will HAVE to give you a static range. I've had the same IP for over a year but that's just because my modem has never turned off and I have 4-5 hours of backup on batteries. Not everyone has this though. If I turn it off long enough (my modem or router) then eventually my IP will get handed to another customer.
Supernetting (summarizing ip ranges) existed already in IPv4 but I think this will come more naturally with IPv6 and ND.
However you will still need to think even with IPv6 when you are planning your network(s). Mainly because the host address is /64 and not /128 (from the "ISP" point of view).
However you will still need to think even with IPv6 when you are planning your network(s). Mainly because the host address is /64 and not /128 (from the "ISP" point of view).
- Joined
- Dec 24, 2008
- Messages
- 2,211
I see, thank you for the response.
Does this mean most "sane ISP"s wouldn't allow you to just plug a switch on your end, since their router interface isn't configured for your block?
also when you say ipv6 can use the ND feature of IPv6, do you mean that our "linknet" can be a link local address (fe80::/10) and that stateless configuration can automatically assign ip's for my ISP's interface and for my interface and that NetworkDiscovery can also discover eachothers addresses as routers and automatically create routes based on that?
edit: stupid smiley faces.
goodcooper
[H]F Junkie
- Joined
- Nov 4, 2005
- Messages
- 9,771
you would have to know the specifics of that internal LAN though...
If the attacker's source is a public IP, and there is no firewall, then I don't see why it wouldn't work. The dst machine would get the packet and try to respond based on the packet's src header, and the traffic would successfully pass the nat device.
Of course, this is all hypothetical, as most home firewalls are firewalls, and as such usually default to blocking new connections on the outside interface.
EDIT: Ah, I see you updated your post!
Linux + nmap + mentioned routes, and I can have a pretty accurate map of your network in about half an hour.
Again, hypothetically. You would have to go out of your way to break a firewall in such a way that this would work.
I don't think anyone is taking about getting rid of firewall's where most of them have a default configuration setup to block incoming requests. I believe Nmap will still be ineffective as it is today unless you computer is directly plugged into the cable modem.
What is talked about is the lack of REQUIREMENT to use NAT. I still doubt NAT is going anywhere although it is less needed with IPv6 than it was with IPv4.
The external connections will still be something like.
[Home Computers] --------- Internal Firewall NIC [ FIREWALL ]------External Firewall NIC ------- [Cable Modem]
I'd still suspect even with IPv6 that all computers will still have an end point of a firewall protecting them which is directly bridged into a cable modem and actively filtering out traffic. (IE - All traffic will still need to pass through a filtering device based on ACL/rules)
That said I can't imagine any of this is going be a problem for a while. Specifically I don't see many companies willing or ready to jump into IPv6 (internally) when nearly none of them (outside of Google or Microsoft) even need a /60 internal block.
More so I believe that we'll become accustom to seeing IPv6 (External) to IPv4 (Internal) translations going on at the firewall side of things that still use a form of NAT. This will allow the IPv4 implimentation to live on for a while (and not require dual stacking and even more protocols to support) and not require many companies to go in and change things up on their network for some time.
What is talked about is the lack of REQUIREMENT to use NAT. I still doubt NAT is going anywhere although it is less needed with IPv6 than it was with IPv4.
The external connections will still be something like.
[Home Computers] --------- Internal Firewall NIC [ FIREWALL ]------External Firewall NIC ------- [Cable Modem]
I'd still suspect even with IPv6 that all computers will still have an end point of a firewall protecting them which is directly bridged into a cable modem and actively filtering out traffic. (IE - All traffic will still need to pass through a filtering device based on ACL/rules)
That said I can't imagine any of this is going be a problem for a while. Specifically I don't see many companies willing or ready to jump into IPv6 (internally) when nearly none of them (outside of Google or Microsoft) even need a /60 internal block.
More so I believe that we'll become accustom to seeing IPv6 (External) to IPv4 (Internal) translations going on at the firewall side of things that still use a form of NAT. This will allow the IPv4 implimentation to live on for a while (and not require dual stacking and even more protocols to support) and not require many companies to go in and change things up on their network for some time.
Last edited:
Of course there are variants but often when you get a block such as /24 (or so) allocated this block is being routed to your equipment where you have a linknet between you and your ISP.
If you dont have any own L3-equipment the ISP could then setup an ip address in this range (often the first or last ip) which then will be used as default gw for your equipment. The later is often (or "not uncommon") the case in "broadband networks" where the equipment in the basement is L2-switches and the L3-equipment is placed in distnodes (or in some main node in your building).
With IPv6 this is more "by design" thanks to ND. You hook up your L3 equipment to your ISP and get a range through ND. Then you can configure your device to share this information further into your own network (the tricky part comes as mentioned when /64 is seen as the host address rather than /128).
Spot on the problem... simply because "remove the NAT" in most peoples heads means "remove the NAT-router" which ends up with "remove firewall" which of course is bad...
Here is a really good article on Google's move to internal IPv6 and the challenges they faced.
http://static.usenix.org/events/lisa11/tech/full_papers/Babiker.pdf
I read through the whole thing and for me it just confirmed that using IPv6 internally is going to be a long way off (for most established companies) even though using it externally is sorely needed.
Well worth the read just to get the perspective on a company that implemented IPv6 on a massive scale.
http://static.usenix.org/events/lisa11/tech/full_papers/Babiker.pdf
I read through the whole thing and for me it just confirmed that using IPv6 internally is going to be a long way off (for most established companies) even though using it externally is sorely needed.
Well worth the read just to get the perspective on a company that implemented IPv6 on a massive scale.