Re: address and port translation (NAT) no longer required in IPv6 -- but...
Hello, Rick Thomas a écrit : It eliminates the need for masquerading and port translation, but it does not eliminate the need for a proper firewall. Unfortunately the plenty of public IPv6 space does not totally eliminate the need for NAT in some situations. Otherwise there would not be that RFC 5902 about IPv6 NAT... Situations where NAT may help which come to mind are multi-homing with ISP-specific prefixes, prefix renumbering... An (IPv4) router/NAT-box has the unavoidable side-effect of not allowing any incoming (Internet - LAN) connections unless they have been explicitly programmed by the user. Most people consider this to be a good thing. Actually this is primarily a side effect of the use of private addresses which are (supposedly) unreachable from the public internet, not NAT. Some NAT implementations may act as a firewall, but this is implementation-dependent. Remember that the netfilter IPv4 NAT implementation in the Linux kernel does not do any filtering. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4eff26ad.8050...@plouf.fr.eu.org
Re: address and port translation (NAT) no longer required in IPv6 -- but...
Thanks! Can you provide some specific model numbers? I'll need a box that can do IPv6 tunneling over IPv4, since none of the ISP's I have access to have native IPv6 or any plans for it in the foreseeable future. Of course, it will also need to be able to do basic stateful fire-wall stuff, and the IPv4 side will need to do NAT and port translation. Thanks! Rick On Dec 27, 2011, at 6:40 AM, Scott Ferguson wrote: Most of the manufacturers already do (or don't you consider sub-$100AU cheap?) Apple, Allied Telesis, AVM, Buffalo Tech, Cisco, D-Link, Funkwerk E.C., *cough* Juniper Networks, Linksys, Sonicwall, Trendnet. All sell cheap home/office routers. That's an incomplete list - and I've not covered enterprise solutions. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4772ca0a-9302-4eb1-9c71-8661abf56...@pobox.com
Re: address and port translation (NAT) no longer required in IPv6 -- but...
On 29/12/11 19:21, Rick Thomas wrote: Please don't top-post. I'm lazy and likely to ignore emails that require effort to read. Thanks! Sorry for the delay in answering - for some reason this had been flagged as spam. Can you provide some specific model numbers? No - sorry, not for those specifications. But it's pretty simple to look up - especially compared to the difficulty of setting up stateful inspection rules. :-) I'll need a box that can do IPv6 tunneling over IPv4, since none of the ISP's I have access to have native IPv6 or any plans for it in the foreseeable future. Of course, it will also need to be able to do basic stateful fire-wall stuff, and the IPv4 side will need to do NAT and port translation. My preference is to always use Debian - and it's certainly capable of doing what you want. If you want to buy a device that does that for you it will probably cost more than $100 as it requires a fair bit of processing power. Thanks! Rick On Dec 27, 2011, at 6:40 AM, Scott Ferguson wrote: Most of the manufacturers already do (or don't you consider sub-$100AU cheap?) snipped Cheers -- Iceweasel/Firefox extensions for finding answers to Debian questions:- https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4efd6d6c.6060...@gmail.com
Re: address and port translation (NAT) no longer required in IPv6 -- but...
On Ma, 27 dec 11, 01:20:27, Rick Thomas wrote: (Sigh!) ;-\ Now if somebody would just manufacture and sell an inexpensive IPv6-capable SOHO router... /-; (sigh!) Get the cheapest router that supports alternate firmware[1]. As far as I know most of the alternatives already support IPv6. [1] OS would be more accurate Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: address and port translation (NAT) no longer required in IPv6 -- but...
OK I'm a novice, but it seems from my perspective that having adequate addresses is only the tech part of the issue. Verizon and other large ISP's don't want home owners to create servers accessible from outside their homes. If they find out you are doing so they will insist on charging you the _much_ higher business rate. Isn't that why they block and/or watch standard ports? Keith Ostertag On Dec 26, 2011, at 3:44 PM, Andrei Popescu wrote: On Lu, 26 dec 11, 21:39:27, Victor Nitu wrote: On 12/26/2011 08:00 PM, Andrei Popescu wrote: This is one reason I welcome the switch to IPv6. Just out of curiosity: can you be more specific on this issue? (please excuse me for being a bit off-topic). As far as I understand the main benefit and driver for adopting IPv6 is that there are enough addresses for every host in your lan to have its own public IP address, which completely eliminates (the need for) masquerading and (D)NAT. Hope this explains, Andrei It eliminates the need for masquerading and port translation, but it does not eliminate the need for a proper firewall. An (IPv4) router/NAT-box has the unavoidable side-effect of not allowing any incoming (Internet - LAN) connections unless they have been explicitly programmed by the user. Most people consider this to be a good thing. That's not automatic anymore with IPv6. But it easily can (and should, by default) be programmed into any IPv6 router. (Sigh!) ;-\ Now if somebody would just manufacture and sell an inexpensive IPv6-capable SOHO router... /-; (sigh!) Hope that explains (a little more), Rick -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/403e4f6577e5a6d1f9ffd26e23064fef.squir...@webmail.strucktower.com
Re: address and port translation (NAT) no longer required in IPv6 -- but...
On 27/12/11 22:24, Andrei Popescu wrote: On Ma, 27 dec 11, 01:20:27, Rick Thomas wrote: (Sigh!) ;-\ Now if somebody would just manufacture and sell an inexpensive IPv6-capable SOHO router... /-; (sigh!) Most of the manufacturers already do (or don't you consider sub-$100AU cheap?) Apple, Allied Telesis, AVM, Buffalo Tech, Cisco, D-Link, Funkwerk E.C., *cough* Juniper Networks, Linksys, Sonicwall, Trendnet. All sell cheap home/office routers. That's an incomplete list - and I've not covered enterprise solutions. Get the cheapest router that supports alternate firmware[1]. As far as I know most of the alternatives already support IPv6. [1] OS would be more accurate Regards, Andrei Anything that'll run DD-WRT will run IPV6 - so chances are you already have an IPV6 capable router. Or put some NICs in a dedicated Debian box. Cheers -- Iceweasel/Firefox extensions for finding answers to Debian questions:- https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ef9aeb2.5070...@gmail.com