-----Original Message-----
From: "Derek Smithies" <[email protected]>
> >because I'm sure IPv4 will be around in the public IP space for years.
>
>Really?
> I thought the trend in IT was for (almost) all predictions to be proved
> wrong.
>
> Me thinks that the avalanche of shifting to IPv6 is gaining momentum. Yes,
> IPv4 will be around in a
> few years, but it will be super small fry.
And the prediction was we were going to run out of IPv4, the net was going to
fail, and IPv6 would be mandatory for all devices by, ummm, some time ago, so
I'm counter-predicting that IPv4 will hang in there for years. :-)
There will be a tipping point / avalanche though and it can't be too far away..
>Sheesh. and before the list police strike, Linux has done IPv6 for many years,
>and done it well.
>Not sure how many distros will cope with ipv6 - any comment? Surely the big
>boys have it nailed
>by now.
IPv6 is very on-topic, it's an open standard, and the 'net is predominantly run
on FOSS stuff. :-)
Debian/Ubuntu has been fine for at least a couple of years. I had some
problems with redhat EL6 an Centos 12 months ago, maybe longer but if you're
patched they're fine now. All of the minor distributions probably follow suit.
In the Unix world SmartOS/ilumos are fine, Solaris 11 is good as well, dunno
about the others. Windows 7 and later works as well although there was some
weird with windows 2008 server around kerberos tickets for ADS and stateless
clients but I understand it's fixed... OSx is fine as well, if that's your
thing.
The biggest issues I've had are with 6-4 return routes getting munged when
stateless clients change IP's for some weird reason. (Poor IPv6 implementation
on mobiles was the big one for me.) ICMP firewalling (it's a new game with
IPv6) and slow links getting saturated by ICMPv6. Firewalling of native IPv6
sites is a slightly new game as well as all your on-site devices effectively
have public IP's.
> My understanding is that if you think of IPv6 as "just adding an extra 96
> bits to the addressing
> space" then you have it wrong.
> There is much much more that was added.
Under the heading of 'much more' is the stateless config that I've had problems
with.. DHCPv6 is generally used only to send information about DNS, NTP servers
etc. The address is created by RA packets from the upstream router(s) and the
client maks up the lower 64bits, whic it keeps the same for all (or many)
different networks it attaches to. This is cool: you can tell who a client is
anywhere they connect and bad: you can track people. Depends on OS/Client
implementation, see comment about poor implementations of stateless IPv6
clients. Mutter mumble.
I only have one customer with on-site IPv6 so far, but that's been interesting
Having functional DNS becomes a bigger issue with clients giving themselves
64bit unique chunks of their address and the site local chunk being pretty much
random as well means the old days of knowing the router would be 192.168.1.1 on
80% of sites are coming to an end. :-)
On that IPv6 site they had some initial glitches with security around this
after the previous IT provider opened up some ports to the site-local ip range
and wound up with port 80, 443, 21 and 22 open on all of the devices on their
network to the public internet.
Amazingly, given how big the network space is, something found them and
although it wasn't a true DDOS attack the traffic generated by failed FTP and
SSH attempts to the client machines (mostly mac OSX) saturated the network. I
assume, but don't know for sure, that a drive-by on a website identified them
as being native IPv6 clients and that's what lead to the site being attacked...
But even then attacking a 64bit range of addresses seems crazy, but someone in
Russia tried.
Oh, and a bunch of other stuff I've probably forgotten already... IPv6 is
coming, get your pitchforks out! :-)
Cheers, Chris H.
_______________________________________________
Linux-users mailing list
[email protected]
http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
