On Sat, 2012-03-31 at 19:52 +0200, Tilman Schmidt wrote:
Am 31.03.2012 17:37, schrieb Les Mikesell:
On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel li...@eckel-edv.de wrote:
So, before you do anything else, set up proper incoming and outgoing IPv6
port filtering rules on your perimeter
On Sat, 2012-03-31 at 15:06 +0200, Peter Eckel wrote:
Hi Adam,
And recent computer or distributions is sitting their quietly waiting
for it's IPv6 address to arrive - probably automatically, via auto
discovery. Clients are trivial.
... and that is EXACTLY the biggest problem with IPv6.
On Sat, 2012-03-31 at 16:38 -0500, Les Mikesell wrote:
On Sat, Mar 31, 2012 at 3:24 PM, Peter Eckel li...@eckel-edv.de wrote:
1. Each interface on an IPv6 enabled machine has several addresses.
2. Except for the Privacy Extension address(es), auto-configured a
How do applications choose the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Adam,
Or you assign the rule to the interface, rather than the address.
Nothing new, that is how firewalls work on DHCP clients today.
that will be pretty difficult on the perimeter router ...
Best regards,
Peter.
-BEGIN PGP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Adam,
You can explicitly turn in off on every type of client. Then wait till
you want to do it.
agreed. The problem is that you can, and you actually *must* do it. Doing
nothing leaves v6 on by default on most modern operating systems.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Adam,
Typically the routing table does a lot of work. Much like 127.0.0.0/8
the mask of a link-local will make it unprefered by 'public' traffic.
There is also a syntax for specifying the outbound interface for
traffic.
Routing tables
On Mon, Apr 2, 2012 at 5:28 AM, Peter Eckel li...@eckel-edv.de wrote:
Routing tables won't do much for you when you have several different IP
addresses (stateless autocnfigured, privacy extension and static) within the
same network on the same physical interface - they'll all use the same
Hi Lee,
So what does that mean for a client application (http/ftp,etc.) where
you might have local firewalls permitting things for internal-subnet
source ranges but you also have external targets that only accept
pre-configured static sources?
Are you referring to the situation where you
On Mon, Apr 2, 2012 at 9:39 AM, Peter Eckel li...@eckel-edv.de wrote:
So what does that mean for a client application (http/ftp,etc.) where
you might have local firewalls permitting things for internal-subnet
source ranges but you also have external targets that only accept
pre-configured
On Mon, Apr 02, 2012 at 04:39:17PM +0200, Peter Eckel wrote:
network. Security-wise there is no difference as you'll never get smaller
allocations than /64 per site anyway, so what with respect to filtering
*gigglefit*
One of my providers gave me a single(!) IPv6 address. Another one has
Hi Stephen,
*gigglefit*
One of my providers gave me a single(!) IPv6 address.
Actually that's at least something the IETF has thought of ... if it is certain
that one and only one device will be connected. I'm not actually sure what use
case there is for such a connection, but at least it
On Mon, Apr 02, 2012 at 05:30:57PM +0200, Peter Eckel wrote:
Hi Stephen,
Another one has subdivided a /64 into multiple /96's (one for each
customer).
Yuck. That doesn't make sense at all.
SLAAC won't work, Privacy Extensions won't work ... you're stuck with static
addresses that
On Monday, April 02, 2012 11:11:29 AM Stephen Harris wrote:
One of my providers gave me a single(!) IPv6 address. Another one has
subdivided a /64 into multiple /96's (one for each customer).
You might want to rethink the /64 concept!
Subscribe to the NANOG list, and let that group know who
Hi Les (sorry for calling you 'Lee' before),
What is typical or reasonable for source address restrictions? That
is, if there are 2 global organizations, and one wants to increase
the security on access to a service by limiting to the source
addresses that might come from the other, is there
On Mon, 2012-04-02 at 09:59 -0500, Les Mikesell wrote:
On Mon, Apr 2, 2012 at 9:39 AM, Peter Eckel li...@eckel-edv.de wrote:
When there really is a requirement that the external server allows
only a single address to access it and that can't be changed, you
could resort to using a proxy.
On Mon, 2012-04-02 at 11:11 -0400, Stephen Harris wrote:
On Mon, Apr 02, 2012 at 04:39:17PM +0200, Peter Eckel wrote:
network. Security-wise there is no difference as you'll never get smaller
allocations than /64 per site anyway, so what with respect to filterin
*gigglefit
One of my
On Mon, Apr 2, 2012 at 7:33 PM, Adam Tauno Williams
awill...@whitemice.org wrote:
On Mon, 2012-04-02 at 09:59 -0500, Les Mikesell wrote:
On Mon, Apr 2, 2012 at 9:39 AM, Peter Eckel li...@eckel-edv.de wrote:
When there really is a requirement that the external server allows
only a single
Hi Lee,
How do applications choose the correct outbound address in that
scenario? That has always been a problem when using multiple ipv4
addresses on the same interface in combination with firewalling, etc.
where the source address matters.
that problem hasn't changed too much from IPv4
On Fri, 2012-03-30 at 14:23 -0400, Bob Hoffman wrote:
I imagine some day in the near future there will be a switch to ipv6.
A long way off; for a long time things will be dual-stack. It isn't
either IPv4 or IPv6, they coexist just fine.
I cannot imagine ever remembering the ip address
We've been running out of IPV4 address and needing to convert someday
soon for the last 10 years..., but yet the vast majority of broadband
providers and even most ISP's don't support it yet.
You've got another couple of months. I believe most U.S. network
providers have agreed to a 'flag
On 3/31/2012 6:44 AM, Adam Tauno Williams wrote:
We've been running out of IPV4 address and needing to convert someday
soon for the last 10 years..., but yet the vast majority of broadband
providers and even most ISP's don't support it yet.
You've got another couple of months. I believe most
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Adam,
And recent computer or distributions is sitting their quietly waiting
for it's IPv6 address to arrive - probably automatically, via auto
discovery. Clients are trivial.
... and that is EXACTLY the biggest problem with IPv6.
On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel li...@eckel-edv.de wrote:
And recent computer or distributions is sitting their quietly waiting
for it's IPv6 address to arrive - probably automatically, via auto
discovery. Clients are trivial.
... and that is EXACTLY the biggest problem with
On Sat, Mar 31, 2012 at 11:37 AM, Les Mikesell lesmikes...@gmail.comwrote:
On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel li...@eckel-edv.de wrote:
And recent computer or distributions is sitting their quietly waiting
for it's IPv6 address to arrive - probably automatically, via auto
On Saturday, March 31, 2012 06:44:38 AM Adam Tauno Williams wrote:
We've been running out of IPV4 address and needing to convert someday
soon for the last 10 years..., but yet the vast majority of broadband
providers and even most ISP's don't support it yet.
You've got another couple of
Am 31.03.2012 17:37, schrieb Les Mikesell:
On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel li...@eckel-edv.de wrote:
So, before you do anything else, set up proper incoming and outgoing IPv6
port filtering rules on your perimeter routers. It will save you a hell of a
headache.
If the
Hi Lee,
If the addresses are auto-discovered, how are you supposed to be able to
configure filtering rules for what you want to let through?
very simply.
1. Each interface on an IPv6 enabled machine has several addresses. One of them
is the autoconfigured address, one is the (a) Privacy
On Sat, Mar 31, 2012 at 3:24 PM, Peter Eckel li...@eckel-edv.de wrote:
If the addresses are auto-discovered, how are you supposed to be able to
configure filtering rules for what you want to let through?
very simply.
1. Each interface on an IPv6 enabled machine has several addresses. One
On Fri, Mar 30, 2012 at 02:23:55PM -0400, Bob Hoffman wrote:
My question, since i have never done ip6 stuff, is what does that mean
on my webservers?
For modern software, not too much, really!
Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges,
and configuration
On 03/30/2012 11:23 AM, Bob Hoffman wrote:
I imagine some day in the near future there will be a switch to ipv6.
I cannot imagine ever remembering the ip address then...crazy.
My question, since i have never done ip6 stuff, is what does that mean
on my webservers?
Would I just need to
Am 30.03.2012 20:23, schrieb Bob Hoffman:
I imagine some day in the near future there will be a switch to ipv6.
Wrong. There will be no switch. IPv6 is just being added while
IPv4 continues to function. Both will coexist for a long time yet.
I cannot imagine ever remembering the ip address
31 matches
Mail list logo
