Several used copies of the book Running IPv6 were available, as of last night, from Amazon for about $5, shipping included.
I too thank everyone for an interesting talk. Doug On 5/13/10, Edward Ned Harvey <[email protected]> wrote: > Even though I wasn't the organizer last night, I want to thank everyone who > showed up and participated. I found it very informative and interesting, > and apparently so did many other people, reluctantly getting up to go home > after 9, for the sake of needing to go home *some* time. ;-) > > > > There were several points of interest I thought were valuable to stab a > little deeper into: > > > > Even as ISP's roll out IPv6, they will not kill IPv4 anytime soon (not in > the next 5 yrs.) So for now, that's the solution to the DNS problem. > Apple, MS, etc have plenty of time to work out the details of DNS > deployment, DHCPv6 and so on. Someday, you might have to pay extra to have > IPv4 enabled on your network connection. > > > > The references that I cited were: Running IPv6, Iljitsch van Beijnum. It's > good for an understanding of IPv6, but since it's like 5 yrs old, it's > out-of-date in terms of configuring IPv6 on your system. Fortunately, that > doesn't matter at all, because nowadays, enabling IPv6 is trivial. > > > > I could share it with anyone if they want, up to 2 weeks, if you happen to > have a kindle (or willing to use the mac or windows amazon kindle reader). > That should be enough to read the whole thing for all the interesting parts. > Also, I said it was $10. Sorry, my mistake, it's $35 to buy. > > > > I mentioned NAT-PMP. > http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol > > And I couldn't remember the name of IGD. > http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol > > These are protocols that allow a NAT IPv4 device to communicate with the > perimeter firewall, to auto-configure a hole through the firewall, to enable > inbound traffic, to support peer-to-peer traffic. Today, these protocols > are not widely built-in to firewalls. But some do support it. Generally > speaking, professional level security appliances don't support it, but > hopefully that will become optional in the near future (and controllable via > system policy), because I feel it's a very valuable thing, to enable > peer-to-peer video conferences for example. > > > > The thing that's nice about NAT-PMP and IGD is that the client must > explicitly request the hole opened at the perimeter firewall before it's > allowed in. So this is an additional layer of security, above just your > software firewall. Obviously, nobody feels very comfortable simply exposing > all their internal IP's to the Internet. So this helps facilitate > communications without sacrificing security. > > > > Today, if you want to do p2p, the recommendation would be IPv4, with one of > these. Most p2p apps support it (skype, bit torrent, and many H323 or SIP > clients, etc). The question that remains is whether or not your perimeter > firewall supports it. > > > > Moving forward, if you have world routable IPv6 addresses, there's no need > for NAT and hence no need for NAT-PMP or IGD. However . As mentioned > before, the only security that NAT offers you is implicitly blocking inbound > unknown traffic. Moving forward, the recommendation would be to still > enable the firewall to block inbound unknown traffic. In which case, the > recommendation would be to use IPv6, *and* NAT-PMP or IGD, or the > alternative du-jour. > > > > Not previously mentioned, the other security that NAT offers is internal > network roadmap masking. That is, somebody outside has no way of knowing > your internal network topology or subnet ranges and possible router hops. > > > > Believe it or not, IPv6 can be NAT'd if you want to. (Though implementation > may be sparse or nonexistent right now.) Many of the IETF idealists would > scoff at that as being sacreligious and defeating the purpose, but you can > see how slowly things move when you're trying to be ideal. If striving for > perfection, then critical components (DNS, DHCP) get left out by the time > you need to use them. So, just as you can expect people to use DHCPv6 > despite extremist objections, so you can expect some organizations to do > IPv6 NAT sometimes despite the extremist views of individuals in the IETF. > Specifically because they don't want to expose the internal network roadmap. > > > > > One thing that's cool is: If you do NAT your IPv6, you have a very large > number of external IP's. So you could do a one-to-one mapping of internal > IP's to external IP's, instead of the many-to-one mapping that's generally > used in IPv4. Thus, you eliminate the p2p problems that IPv4 NAT has, and > you're still able to do NAT. > > _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
