Even though I wasn't the organizer last night, I want to thank everyone who showed up and participated. I found it very informative and interesting, and apparently so did many other people, reluctantly getting up to go home after 9, for the sake of needing to go home *some* time. ;-)
There were several points of interest I thought were valuable to stab a little deeper into: Even as ISP's roll out IPv6, they will not kill IPv4 anytime soon (not in the next 5 yrs.) So for now, that's the solution to the DNS problem. Apple, MS, etc have plenty of time to work out the details of DNS deployment, DHCPv6 and so on. Someday, you might have to pay extra to have IPv4 enabled on your network connection. The references that I cited were: Running IPv6, Iljitsch van Beijnum. It's good for an understanding of IPv6, but since it's like 5 yrs old, it's out-of-date in terms of configuring IPv6 on your system. Fortunately, that doesn't matter at all, because nowadays, enabling IPv6 is trivial. I could share it with anyone if they want, up to 2 weeks, if you happen to have a kindle (or willing to use the mac or windows amazon kindle reader). That should be enough to read the whole thing for all the interesting parts. Also, I said it was $10. Sorry, my mistake, it's $35 to buy. I mentioned NAT-PMP. http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol And I couldn't remember the name of IGD. http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol These are protocols that allow a NAT IPv4 device to communicate with the perimeter firewall, to auto-configure a hole through the firewall, to enable inbound traffic, to support peer-to-peer traffic. Today, these protocols are not widely built-in to firewalls. But some do support it. Generally speaking, professional level security appliances don't support it, but hopefully that will become optional in the near future (and controllable via system policy), because I feel it's a very valuable thing, to enable peer-to-peer video conferences for example. The thing that's nice about NAT-PMP and IGD is that the client must explicitly request the hole opened at the perimeter firewall before it's allowed in. So this is an additional layer of security, above just your software firewall. Obviously, nobody feels very comfortable simply exposing all their internal IP's to the Internet. So this helps facilitate communications without sacrificing security. Today, if you want to do p2p, the recommendation would be IPv4, with one of these. Most p2p apps support it (skype, bit torrent, and many H323 or SIP clients, etc). The question that remains is whether or not your perimeter firewall supports it. Moving forward, if you have world routable IPv6 addresses, there's no need for NAT and hence no need for NAT-PMP or IGD. However . As mentioned before, the only security that NAT offers you is implicitly blocking inbound unknown traffic. Moving forward, the recommendation would be to still enable the firewall to block inbound unknown traffic. In which case, the recommendation would be to use IPv6, *and* NAT-PMP or IGD, or the alternative du-jour. Not previously mentioned, the other security that NAT offers is internal network roadmap masking. That is, somebody outside has no way of knowing your internal network topology or subnet ranges and possible router hops. Believe it or not, IPv6 can be NAT'd if you want to. (Though implementation may be sparse or nonexistent right now.) Many of the IETF idealists would scoff at that as being sacreligious and defeating the purpose, but you can see how slowly things move when you're trying to be ideal. If striving for perfection, then critical components (DNS, DHCP) get left out by the time you need to use them. So, just as you can expect people to use DHCPv6 despite extremist objections, so you can expect some organizations to do IPv6 NAT sometimes despite the extremist views of individuals in the IETF. Specifically because they don't want to expose the internal network roadmap. One thing that's cool is: If you do NAT your IPv6, you have a very large number of external IP's. So you could do a one-to-one mapping of internal IP's to external IP's, instead of the many-to-one mapping that's generally used in IPv4. Thus, you eliminate the p2p problems that IPv4 NAT has, and you're still able to do NAT.
_______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
