Re: ipv6 maybe has arrived.
On 9/2/23 06:39, gene heskett wrote:
On
2/8/23 16:29, jeremy ardley wrote:
On 9/2/23 04:54, gene heskett wrote:
My several machine home net is behind a dd-wrt install, NAT'ed
so that any machine here has access to the net via the ipv4
address my router obtains from them. That legally is a dynamic
address but hasn't changed in the decade and a half since I
last switched isp's to one that just worked courtesy of
cloning the mac from one router to its backup.
So now my question is, can I maintain the same level of
security if I start using an ipv6 address in my router?
And if so, how do I maintain the NAT, & how would I do it?
Or am I better off to not kick this sleeping dog called ipv6?
Thanks Jeremy. but in the back of my mind is the need for a
firewall. I've not setup a new one since bullseye moved in a year
plus ago. dd-wrt reflashing my now elderly buffalo router handles
all that.
Lets look at the different cases.
First, you have IPv4 and NAT. Your
firewall will allow (and NAT) any outbound trafffic, and will
accept any incoming trafic related to outgoing traffic and inverse
NAT it and send to the internal host. You are relatively safe in
this scenario as external baddies can't scan your LAN and can't
make unsolicited connections to your LAN devices.
In the case of adding IPv6 without NAT,
then without a firewall, external baddies can connect unsolicited
to your internal devices. Some of your devices will have their own
personal firewalls already, e.g. any windows machine. Some won't,
e.g. a printer. In the printer case it would be unfortunate if
your printer suddenly started printing out obscenites.. You get
the picture.
Net result is with IPv6 you need a
firewall on your internet connection to disallow any unsolicited
connections to internal devices. It's really easy in ip6tables. It
is probably very easy in dd-wrt. It is certain to be in any
off-the shelf dual-stack modem/router.
The other option of NAT for your IPv6 is
frowned on
Another problem is internal names. As
with IPv4 you need a directory service to say what devices are at
what IPv4 or IPv6 addresses in your LAN. In my case I run a DNS
server linked to my DHCP server for the IPv4 and IPv6 addresses.
It uses a combination of DHCP registration data, and static
records to give IPv4 and IPv6 addresses internally to the LAN.
Of note, in my LAN which runs IPv4 and
IPv6, most traffic between devices is IPv6 because modern
Debian/Linux applications default to IPv6 and only fall back to
IPv4 as necessary.
Jeremy
Reply to: