On 12/9/11 6:29 PM, "Dobbins, Roland" <rdobbins(a)arbor.net> wrote:
On Sep 12, 2011, at 12:55 PM, Michael Newbery wrote:
* NAT does not exist. If your application
requires NAT (e.g. load balancing)
it's broken under IPv6. There is no workaround. This is a feature. NAT is
gone. [I found this probably the biggest mind-blow for some people]
NAT <> load-balancing. I dislike both NAT and load-balancers for a lot of
reasons, but load-balancing doesn't equate to NAT.
True, but the point I was making is that there are *some* load balancers
that use NAT. If you've got one of those, it doesn't work under IPv6 and
will never work.
In general, NAT seems to have seeped into the security consciousness, so
pointing out that NAT is gone in IPv6 is a big deal for security folk coming
* DHCP is
optional. If you think you need DHCP, then re-evaluate very, very
The current IPv6 DHCP brokenness will eventually be resolved, there's no
choice in the matter.
The debate is ongoing in the IETF, but the point I'm making is again that
security folk make assumptions about things, like DHCP existing, which may
not be true in future. For instance, choosing RA rather than DHCPv6 could be
a perfectly rational decision for a company to make, which could then be a
bit of a shock to security if they are expecting DHCP to always be there.
* That best practice of providing reverse DNS
entries for all possible
addresses on your LAN? Not possible. Gone.
I don't know that this was ever a BCP. Reverse DNS for all *utilized*
addresses on your LAN, sure, and it's still possible and recommended for IPv6.
RFC 1912. "every Internet-reachable host should have a name" and "for
IP address, there should be a matching PTR record in the in-addr.arpa
domain". However, RFC 1912 is now 'Informational (Legacy Stream)'.
Now, if you have a /24, or even a /16, you can pre-fill your PTR with all
possible addresses. On IPv6, if you have a /48, no. DDNS of course works,
but again, that's something new for many organisations, which is, again, the
point I'm making: IPv6 means that things that you used to take for granted
* Reverse DNS as a way of encoding useful
information is probably not very
useful anymore. Find a better way.
Disagree (see above).
I suspect this a whole different debate, but anyway: some places seem to
type names, so that they can look
at 192.168.1.66 and see where it (supposedly) resides. Personally, I loath
this practice. If your security folk are depending on this---that is they
are (ab)using the DNS as a sort of CRM---IPv6 may present them with some
* Address scanning your own LAN to find things?
Disagree to some degree with regards to hinted scanning (again, see reverse
DNS above). Flow telemetry is better.
If a company used to mindlessly troll its /24 every days to audit machines,
then just trying the same thing with a /48 is not going to yield the
expected results. :) Simply another case of having to do things differently
Michael Newbery IP Architect TelstraClear Limited
TelstraClear. Simple Solutions. Everyday
Residential 0508 888 800 Business 0508 555 500 Enterprise & Government 0508 400 300
This email contains information which may be confidential and subject to copyright. If
you are not the intended recipient you must not use, distribute or copy this email or
attachments. If you have received this email in error please notify us immediately by
return email and delete this email and any attachments.
TelstraClear Limited accepts no responsibility for changes made to this email or to any
attachments after transmission from TelstraClear Limited. It is your responsibility to
check this email and any attachments for viruses.
Emails are not secure. They can be intercepted, amended, lost or destroyed and may
contain viruses. Anyone who communicates with TelstraClear Limited by email is taken to
accept these risks.