On 01/20/12 05:07, Tanstaafl wrote: > On 2012-01-19 5:32 PM, Mick <michaelkintz...@gmail.com> wrote: >> On Thursday 19 Jan 2012 15:48:32 Michael Mol wrote: >>> On Thu, Jan 19, 2012 at 10:37 AM, Tanstaafl<tansta...@libertytrek.org> >>> wrote: >>>> I have a reasonable grasp of how to use IP addresses etc with IPv4, but >>>> every time I start rading about IPv6 I get a headache... >>>> >>>> Does anyone know of a decent tutorial written specifically to those who >>>> have an ok (but not hugely in-depth) understanding of IPv4, and doesn't >>>> get bogged down in too many technical details, but simply explains what >>>> you need to know to be able to transition to it and use it effectively >>>> *and securely* - and/or how *not* to have to expose your entire private >>>> network to the world (what IPv4 NAT protects you from)? > >>> I've been doing IPv6 presentations at LUGs and tech cons, and I'm >>> getting scheduled for a few IPv6 topics at Penguicon...but I'm pretty >>> sure I'm also not the most knowledgeable on this list wrt IPv6, >>> either. Still, what would you like to know? (I can use your questions >>> as fodder and experience for future presentations. ^^) > >> Now that IPv6 is enabled by default on Linux, is one meant to duplicate all >> the IPv4 iptable rules also for IPv6? I'm using arno ip tables and from what >> I saw in the config file it is either 4 or 6 that one can activate. Perhaps >> this has improved with later versions. > > That was the very first question (and headache) I got from looking at this. > >> The OP would probably have more questions, but if you ever pull together a >> pack of slides I would much appreciate a link to look at them. > > I really wouldn't know where to start... that is why I was looking for a > decent tutorial that covered the topic in total, so I could hopefully > get to the point that I *could* ask some intelligent questions about it... > > One very general question I have is, how can you - or even *can* you - hide > all of your internal devices from the outside world, similar to how > the use of 'private' IP's behind a NAT'd firewall are hidden from the outside > world (nor directly accessible). I definitely do *not* want all of > my internal devices directly accessible from the internet. >
If you want a good place to start, try Mark Newton's AusCERT IPv6 talk. http://risky.biz/AusCERT-Newton It's not exactly "laymen", but I still recommend it. It's a good talk taking your IPv4 knowledge and comparing it to the IPv6 equivalents, and brings up some good general ideas that make you think of IPv6 in a practical sense. Unfortunately I haven't found a video version of it. :( I've done a hand full of IPv6 conversions, small to medium networks, I'd be willing to answer some questions if you need help. As for your general question, the short answer is you can't. If you need internet access, then you will have to have public IPs. Question: Why do you want to hide internal devices? I don't expect an answer, this is something you should ask yourself. Is it to protect running services from attack/discovery? Great, that's what your firewall is for, so you don't need to worry about private addresses. Another option is to deploy IPSec for internal services, this would hide internal services even from hosts on the private address space unless they are trusted though IPSec rules. Is it to hide the actual devices? or your network architecture/topology? Scanning for host discovery in IPv6 is not feasible. Consider how big IPv6 is. A typical host discovery scan on an IPv4 private network can be done in a few hours. Given a (really fast) average host discovery of 1000 hosts a second, lets apply some math to your internal IPv6 range. We'll compare both ::/64 and ::/48, which amounts to 2^64 and 2^80 addresses. Your host discovery scan would take between 600 million, and 38 trillion years to check each IP. If you still want private addresses, IPv6 has unique local addresses (fc00::/7 range, http://www.sixxs.net/tools/grh/ula/ has a reg form to help assign a /48 to you). But since there's no address translation, your stuck running dual networks for everything that needs a private address and internet access. It's not entirely a bad thing, but it can be a long tedious process, and some software sucks at it (mysqld). Hope that helps. Chris
