Re: ipv6 maybe has arrived.

To: debian-user@lists.debian.org
Subject: Re: ipv6 maybe has arrived.
From: jeremy ardley <jeremy@ardley.org>
Date: Thu, 9 Feb 2023 07:03:00 +0800
Message-id: <[🔎] ba019c29-1c39-3787-49ec-414be6d636e1@ardley.org>
In-reply-to: <[🔎] 852158ca-59c9-228c-d7e2-5e119ed77c50@shentel.net>
References: <[🔎] b1f46f24-0704-013d-aa5f-cfb56fdecfca@shentel.net> <[🔎] 6f868c11-81e7-39a4-df6e-6a960a936ef8@ardley.org> <[🔎] 852158ca-59c9-228c-d7e2-5e119ed77c50@shentel.net>

On 9/2/23 06:39, gene heskett wrote:

On 2/8/23 16:29, jeremy ardley wrote:

On 9/2/23 04:54, gene heskett wrote:

My several machine home net is behind a dd-wrt install, NAT'ed so that any machine here has access to the net via the ipv4 address my router obtains from them. That legally is a dynamic address but hasn't changed in the decade and a half since I last switched isp's to one that just worked courtesy of cloning the mac from one router to its backup.

So now my question is, can I maintain the same level of security if I start using an ipv6 address in my router?

And if so, how do I maintain the NAT, & how would I do it? Or am I better off to not kick this sleeping dog called ipv6?

Thanks Jeremy. but in the back of my mind is the need for a firewall. I've not setup a new one since bullseye moved in a year plus ago. dd-wrt reflashing my now elderly buffalo router handles all that.

Lets look at the different cases.

First, you have IPv4 and NAT. Your firewall will allow (and NAT) any outbound trafffic, and will accept any incoming trafic related to outgoing traffic and inverse NAT it and send to the internal host. You are relatively safe in this scenario as external baddies can't scan your LAN and can't make unsolicited connections to your LAN devices.

In the case of adding IPv6 without NAT, then without a firewall, external baddies can connect unsolicited to your internal devices. Some of your devices will have their own personal firewalls already, e.g. any windows machine. Some won't, e.g. a printer. In the printer case it would be unfortunate if your printer suddenly started printing out obscenites.. You get the picture.

Net result is with IPv6 you need a firewall on your internet connection to disallow any unsolicited connections to internal devices. It's really easy in ip6tables. It is probably very easy in dd-wrt. It is certain to be in any off-the shelf dual-stack modem/router.

The other option of NAT for your IPv6 is frowned on

Another problem is internal names. As with IPv4 you need a directory service to say what devices are at what IPv4 or IPv6 addresses in your LAN. In my case I run a DNS server linked to my DHCP server for the IPv4 and IPv6 addresses. It uses a combination of DHCP registration data, and static records to give IPv4 and IPv6 addresses internally to the LAN.

Of note, in my LAN which runs IPv4 and IPv6, most traffic between devices is IPv6 because modern Debian/Linux applications default to IPv6 and only fall back to IPv4 as necessary.

Jeremy

Reply to:

Follow-Ups:
- Re: ipv6 maybe has arrived.
  - From: gene heskett <gheskett@shentel.net>
- Re: ipv6 maybe has arrived.
  - From: Anssi Saari <as@sci.fi>

References:
- ipv6 maybe has arrived.
  - From: gene heskett <gheskett@shentel.net>
- Re: ipv6 maybe has arrived.
  - From: jeremy ardley <jeremy@ardley.org>
- Re: ipv6 maybe has arrived.
  - From: gene heskett <gheskett@shentel.net>

Prev by Date: Re: ipv6 maybe has arrived.
Next by Date: Re: Web page management.
Previous by thread: Re: ipv6 maybe has arrived.
Next by thread: Re: ipv6 maybe has arrived.
Index(es):
- Date
- Thread