On 12/9/11 6:29 PM, "Dobbins, Roland"
On Sep 12, 2011, at 12:55 PM, Michael Newbery wrote:
* NAT does not exist. If your application requires NAT (e.g. load balancing) it's broken under IPv6. There is no workaround. This is a feature. NAT is gone. [I found this probably the biggest mind-blow for some people]
NAT <> load-balancing. I dislike both NAT and load-balancers for a lot of reasons, but load-balancing doesn't equate to NAT.
True, but the point I was making is that there are *some* load balancers that use NAT. If you've got one of those, it doesn't work under IPv6 and will never work. In general, NAT seems to have seeped into the security consciousness, so pointing out that NAT is gone in IPv6 is a big deal for security folk coming to IPv6.
* DHCP is optional. If you think you need DHCP, then re-evaluate very, very carefully.
The current IPv6 DHCP brokenness will eventually be resolved, there's no choice in the matter.
The debate is ongoing in the IETF, but the point I'm making is again that security folk make assumptions about things, like DHCP existing, which may not be true in future. For instance, choosing RA rather than DHCPv6 could be a perfectly rational decision for a company to make, which could then be a bit of a shock to security if they are expecting DHCP to always be there.
* That best practice of providing reverse DNS entries for all possible addresses on your LAN? Not possible. Gone.
I don't know that this was ever a BCP. Reverse DNS for all *utilized* addresses on your LAN, sure, and it's still possible and recommended for IPv6.
RFC 1912. "every Internet-reachable host should have a name" and "for every IP address, there should be a matching PTR record in the in-addr.arpa domain". However, RFC 1912 is now 'Informational (Legacy Stream)'. Now, if you have a /24, or even a /16, you can pre-fill your PTR with all possible addresses. On IPv6, if you have a /48, no. DDNS of course works, but again, that's something new for many organisations, which is, again, the point I'm making: IPv6 means that things that you used to take for granted have changed.
* Reverse DNS as a way of encoding useful information is probably not very useful anymore. Find a better way.
Disagree (see above).
I suspect this a whole different debate, but anyway: some places seem to like floor-pod-lan-workstation.example.com type names, so that they can look at 192.168.1.66 and see where it (supposedly) resides. Personally, I loath this practice. If your security folk are depending on this---that is they are (ab)using the DNS as a sort of CRM---IPv6 may present them with some challenges.
* Address scanning your own LAN to find things? Yeah, no.
Disagree to some degree with regards to hinted scanning (again, see reverse DNS above). Flow telemetry is better.
If a company used to mindlessly troll its /24 every days to audit machines, then just trying the same thing with a /48 is not going to yield the expected results. :) Simply another case of having to do things differently with IPv6. -- Michael Newbery IP Architect TelstraClear Limited TelstraClear. Simple Solutions. Everyday Residential 0508 888 800 Business 0508 555 500 Enterprise & Government 0508 400 300 This email contains information which may be confidential and subject to copyright. If you are not the intended recipient you must not use, distribute or copy this email or attachments. If you have received this email in error please notify us immediately by return email and delete this email and any attachments. TelstraClear Limited accepts no responsibility for changes made to this email or to any attachments after transmission from TelstraClear Limited. It is your responsibility to check this email and any attachments for viruses. Emails are not secure. They can be intercepted, amended, lost or destroyed and may contain viruses. Anyone who communicates with TelstraClear Limited by email is taken to accept these risks.