Showing results for 
Search instead for 
Did you mean: 

IPv6 - Is this correct or just scare mongering

Community Veteran
Posts: 38,460
Thanks: 1,031
Fixes: 62
Registered: ‎15-06-2007

IPv6 - Is this correct or just scare mongering
The elephant in the room is renumbering. In the IPv4 world, you have one internet addressable IP address and the rest of your network lives in a non-routable space. Your internal network is on the other end of a NAT firewall, subnetted and organized into something that makes sense for the local sysadmins. 
If you need to change your internet service provider for any reason, that's perfectly okay. Your external address changes, a few firewall rules are changed and life moves on. If you need to reorganize your address space internally, no problem! You execute the change, and the outside world is none the wiser. Simple, easy and convenient.
In an IPv6 world, this is a no-no. There is no NAT; it was deemed heretical by the priestly caste of network engineers running the holy church of the IETF. Blasphemers are chastened and belittled. So what are our options?
The official answer is a combo deal. You must accept that renumbering is the new order. If you change ISPs and your assigned block changes then you must have every single computer, switch, router, printer, and network-attached doodad change with it.
No more static addresses, not even for servers. Everything should be configured by DHCP or stateless autoconfiguration. Whereas in an IPv4 world you created firewall rules for servers (and the applications they ran) by IP, in an IPv6 world your firewall will still work because all your systems should have proper fully qualified domain names.
Posts: 246
Thanks: 2
Registered: ‎25-06-2009

Re: IPv6 - Is this correct or just scare mongering

Hi OldJim,
There are some grounds for being worried about this, but in general the benefits of getting rid of NAT outweigh the disadvantages,  for most consumer users, the auto address configuration in IPv6 is a lot more seamless than in IPv4.
There are configuration options but these would require a an IPAM (IP address management) tool.  An alternative could be to run DHCPv6 server at the border.  You get a prefix, let’s say a /48, and you can use a stateful DHCPv6 server (not currently supported on our gateway) to hand-out addresses.  The latter can potentially use a mechanism with options, reserved leases or … to better control what is being handed out.
Bear in mind that IPv6 interfaces always have multiple unicast addresses, globally routable addresses and locally routable addresses. Assigning local addresses to devices for local use will be the equivalent of the 192.168.1.x addresses, these devices will also have a globally routable address.
The local link address will either be derived from the MAC address or a random value - or possibly static.
In IPv6 address auto configuration, if a router is present then the global address will be derived from the prefix obtained from the router and the MAC address / a random value.
A good presentation on the fundamentals was given at Sharkfest a couple of years ago, the link is here: