Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
ipv6 - how does it work?
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Trials
- :
- IPv6 Trial
- :
- Re: ipv6 - how does it work?
ipv6 - how does it work?
30-06-2012 7:17 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
My understanding of IPv6 is that there is enough address spaces to enable every device on the planet (and more) to have a public address.
So if it is enabled on plusnet, are users likely to be offered an equivalent of a block of IP addresses by default?
And what sort of security implications does this have eg with multiple clients on your network with public IP's rather than private IP's and NAT being used?
With IPv4 and private addressing, most effort goes into the perimeter firewall. External connections are dropped if there isn't an internal request (assuming there's no port forwarding etc) so even without firewall rules, NAT offers protection.
How will this work with public IP's and no NAT? Am I right in assuming that if you do not have a properly configured firewall for a IPv6 address, you could have a major security issue within your internal network?
So if it is enabled on plusnet, are users likely to be offered an equivalent of a block of IP addresses by default?
And what sort of security implications does this have eg with multiple clients on your network with public IP's rather than private IP's and NAT being used?
With IPv4 and private addressing, most effort goes into the perimeter firewall. External connections are dropped if there isn't an internal request (assuming there's no port forwarding etc) so even without firewall rules, NAT offers protection.
How will this work with public IP's and no NAT? Am I right in assuming that if you do not have a properly configured firewall for a IPv6 address, you could have a major security issue within your internal network?
6 REPLIES 6
Re: ipv6 - how does it work?
30-06-2012 9:19 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Yes, IPv6 has a "lot" of addresses - 2^^128. By default, when Plusnet rolls out you will be getting a /56 allocation which means the first 56 bits identify the prefix allocated to your, and that leaves you with 72 bits to use (2^^72 addresses :o). The normal* subnet size for a network is 64 bits so you can have up to 256 subnets within your allocation.
* There are many technical and non-technical reasons why you shouldn't use anything else. Definitely no less, and for a home network, no reason to use more.
Now then, security and privacy are two things that cause "a certain amount of discussion"
Security:
The default for any router worth using should be to run a stateful firewall with a default inbound policy of "drop everything". That will give you same level of protection that using NAT under IPv4 gives you - ie there can be no inbound traffic unless you change the firewall settings to allow it.
Privacy:
Now there's a bigger debate here. The default is for (many) devices to self allocate an address by combining the subnet information provided by routers (by way of broadcast Router Advertisements, or RAs for short) with the MAC address of the interface. As you've guessed, this does mean that services you connect to can identify the individual machine that you use, and if they so wish, track you as you move between networks. All major OSs should allow the setting of a more private mode where the address is randomly chosen and will change when you disconnect/reconnect to a network (ie move between networks, restart, suspend/resume, etc). I've an idea Windows does this by default, with Mac OS X it's something you can turn on with some command line incantation.
Don't forget that you can run IPv4 without NAT. Most people tend to be using NAT because they can't get the addresses needed to run without it. When ManLUG used to meet in the university, all the machines there ran on public IPs (the uni got a massive allocation before it became apparent that there'd be shortages), and at work we run a lot of hosted stuff that all runs on public IPs so it would be quite feasible to run our desktops on the spare addresses (we got a /24 allocation, also before the shortage was fully recognised).
* There are many technical and non-technical reasons why you shouldn't use anything else. Definitely no less, and for a home network, no reason to use more.
Now then, security and privacy are two things that cause "a certain amount of discussion"
Security:
The default for any router worth using should be to run a stateful firewall with a default inbound policy of "drop everything". That will give you same level of protection that using NAT under IPv4 gives you - ie there can be no inbound traffic unless you change the firewall settings to allow it.
Privacy:
Now there's a bigger debate here. The default is for (many) devices to self allocate an address by combining the subnet information provided by routers (by way of broadcast Router Advertisements, or RAs for short) with the MAC address of the interface. As you've guessed, this does mean that services you connect to can identify the individual machine that you use, and if they so wish, track you as you move between networks. All major OSs should allow the setting of a more private mode where the address is randomly chosen and will change when you disconnect/reconnect to a network (ie move between networks, restart, suspend/resume, etc). I've an idea Windows does this by default, with Mac OS X it's something you can turn on with some command line incantation.
Don't forget that you can run IPv4 without NAT. Most people tend to be using NAT because they can't get the addresses needed to run without it. When ManLUG used to meet in the university, all the machines there ran on public IPs (the uni got a massive allocation before it became apparent that there'd be shortages), and at work we run a lot of hosted stuff that all runs on public IPs so it would be quite feasible to run our desktops on the spare addresses (we got a /24 allocation, also before the shortage was fully recognised).
Re: ipv6 - how does it work?
01-07-2012 1:41 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: SimonHobson The default is for (many) devices to self allocate an address by combining the subnet information provided by routers (by way of broadcast Router Advertisements, or RAs for short) with the MAC address of the interface
I was entering some Static DHCP devices in to my Router (IPv4) and while entering the MAC addresses it occurred to me that these are only 12 hex digits long, i.e. 48bits. So as IPv6 can address so many more devices what is the new MAC address format for IPv6? If still only 48 bits that will mean at some point multiple devices in the world will have duplicate MAC addresses.
Re: ipv6 - how does it work?
02-07-2012 2:46 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote If still only 48 bits that will mean at some point multiple devices in the world will have duplicate MAC addresses
http://www.erg.abdn.ac.uk/~gorry/eg3561/lan-pages/mac-vendor-codes.html
Unlike IP addresses, MAC addresses only need to be unique within a single collision domain (usually a single subnet). It's only a problem if multiple network cards have the same MAC address if they try to coexist on the same local network. Network interface manufacturers are allocated blocks of MAC addresses which they allocate to devices as they are produced, and apply for additional blocks before they reach the end of their allocation. Whilst any form of preallocation leads to wastage, it should not be enough to cause any problems in the forseeable future. Worst case, manufacturer can re-use MAC addresses they previously allocated to obsolete networking hardware (10Mbps coax, Token Ring, etc.)
Doug
Re: ipv6 - how does it work?
02-07-2012 8:08 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
So, when plusnet offers an ipv6 address, do you turn off NAT, use routing and just configure your router's dhcp server to hand out ipv6 address's within your allocation?
and how many addresses is (2^^72 addresses)? If that means 2 to the power of 72 then that equals 4,722,366,482,869,645,213,696
and how many addresses is (2^^72 addresses)? If that means 2 to the power of 72 then that equals 4,722,366,482,869,645,213,696
Re: ipv6 - how does it work?
03-07-2012 8:52 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I think this is a good basic tutorial. It certainly gave me a better understanding.
http://www.9tut.com/ipv6-tutorial
Page 2 with it's diagrams explains it well.
http://www.9tut.com/ipv6-tutorial
Page 2 with it's diagrams explains it well.
Re: ipv6 - how does it work?
04-07-2012 9:28 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: millsdon when plusnet offers an ipv6 address, do you turn off NAT, use routing and just configure your router's dhcp server to hand out ipv6 address's within your allocation?
Not really, you have to forget (to some extent) what you've got used to with IPv4 and learn a load of new stuff.
Whatever you are doing now with IPv4 will stay as it is - no change. The NAT you probably use now will stay - for IPv4.
For IPv6, that's a new layer that will run in parallel with your IPv4 - in principal they are different and aren't in any way related.
Because you get so many addresses with IPv6 (see below), then there is no need for NAT. You literally can run every device you have (and "quite a few more") on public IPs without risk of running out. This isn't a security concern, but may be a privacy concern (as noted earlier) if you don't use any privacy features.
Quote and how many addresses is (2^^72 addresses)? If that means 2 to the power of 72 then that equals 4,722,366,482,869,645,213,696
Yes it is 2 to the power of 72, it is that very big number (I'll take your word on the exact number, my calculator doesn't go that far !). There are 2^^32 addresses (just over 4 billion) in total for IPv4, big chunks of that are wasted, reserved for specific uses, or otherwise not available, and of what's left, there is now not a single address block not allocated to an RIR (Regional Internet Registry). The minimum subnet size for IPv6 is 2^^64, or about 18 million million million addresses :o, so you aren't likely to run out. I can see some ISPs might be stingy and only allocate a single /64, plusnet will be giving up a /56, which is 8 bits more and allows us to run 256 of those very big /64 subnets. Since Plusnet will get a /32 from the registry, that means they still have 24 bits (56 - 32) in between - so their single allocation will support over 16 million customers, each with a /56. Yes, IPv6 has some very big numbers.
Just to add, since ISPs get a /32 allocation, there is enough address space in IPv6 for there to be as many ISPs as there are total IPv4 addresses (roughly). So enough for about one ISP per 2 or 3 people on the planet - should keep us going for a while !
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page