On Mon, Apr 2, 2012 at 7:33 PM, Adam Tauno Williams
wrote:
> On Mon, 2012-04-02 at 09:59 -0500, Les Mikesell wrote:
>> On Mon, Apr 2, 2012 at 9:39 AM, Peter Eckel wrote:
>> > When there really is a requirement that the external server allows
>> only a single address to access it and that can't b
On Mon, 2012-04-02 at 11:11 -0400, Stephen Harris wrote:
> On Mon, Apr 02, 2012 at 04:39:17PM +0200, Peter Eckel wrote:
> > network. Security-wise there is no difference as you'll never get smaller
> > allocations than /64 per site anyway, so what with respect to filterin
> *gigglefit
> One of my p
On Mon, 2012-04-02 at 09:59 -0500, Les Mikesell wrote:
> On Mon, Apr 2, 2012 at 9:39 AM, Peter Eckel wrote:
> > When there really is a requirement that the external server allows
> only a single address to access it and that can't be changed, you
> could resort to using a proxy.
> What is typical
Hi Les (sorry for calling you 'Lee' before),
> What is typical or reasonable for source address restrictions? That
> is, if there are 2 global organizations, and one wants to increase
> the security on access to a service by limiting to the source
> addresses that might come from the other, is th
On Monday, April 02, 2012 11:11:29 AM Stephen Harris wrote:
> One of my providers gave me a single(!) IPv6 address. Another one has
> subdivided a /64 into multiple /96's (one for each customer).
>
> You might want to rethink the /64 concept!
Subscribe to the NANOG list, and let that group know
On Mon, Apr 02, 2012 at 05:30:57PM +0200, Peter Eckel wrote:
> Hi Stephen,
> > Another one has subdivided a /64 into multiple /96's (one for each
> > customer).
>
> Yuck. That doesn't make sense at all.
>
> SLAAC won't work, Privacy Extensions won't work ... you're stuck with static
> addres
Hi Stephen,
> *gigglefit*
>
> One of my providers gave me a single(!) IPv6 address.
Actually that's at least something the IETF has thought of ... if it is certain
that one and only one device will be connected. I'm not actually sure what use
case there is for such a connection, but at least
On Mon, Apr 02, 2012 at 04:39:17PM +0200, Peter Eckel wrote:
> network. Security-wise there is no difference as you'll never get smaller
> allocations than /64 per site anyway, so what with respect to filtering
*gigglefit*
One of my providers gave me a single(!) IPv6 address. Another one has
su
On Mon, Apr 2, 2012 at 9:39 AM, Peter Eckel wrote:
>
>> So what does that mean for a client application (http/ftp,etc.) where
>> you might have local firewalls permitting things for internal-subnet
>> source ranges but you also have external targets that only accept
>> pre-configured static source
Hi Lee,
> So what does that mean for a client application (http/ftp,etc.) where
> you might have local firewalls permitting things for internal-subnet
> source ranges but you also have external targets that only accept
> pre-configured static sources?
Are you referring to the situation where you
On Mon, Apr 2, 2012 at 5:28 AM, Peter Eckel wrote:
>
> Routing tables won't do much for you when you have several different IP
> addresses (stateless autocnfigured, privacy extension and static) within the
> same network on the same physical interface - they'll all use the same route.
> The lon
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Adam,
> Typically the routing table does a lot of work. Much like 127.0.0.0/8
> the mask of a link-local will make it unprefered by 'public' traffic.
> There is also a syntax for specifying the outbound interface for
> traffic.
Routing tables w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Adam,
> You can explicitly turn in off on every type of client. Then wait till
> you want to do it.
agreed. The problem is that you can, and you actually *must* do it. Doing
nothing leaves v6 on by default on most modern operating systems.
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Adam,
> Or you assign the rule to the interface, rather than the address.
> Nothing new, that is how firewalls work on DHCP clients today.
that will be pretty difficult on the perimeter router ...
Best regards,
Peter.
-BEGIN PGP SIGNAT
On Sat, 2012-03-31 at 16:38 -0500, Les Mikesell wrote:
> On Sat, Mar 31, 2012 at 3:24 PM, Peter Eckel wrote:
> > 1. Each interface on an IPv6 enabled machine has several addresses.
> > 2. Except for the Privacy Extension address(es), auto-configured a
> How do applications choose the correct outbo
On Sat, 2012-03-31 at 15:06 +0200, Peter Eckel wrote:
> Hi Adam,
> > And recent computer or distributions is sitting their quietly waiting
> > for it's IPv6 address to arrive - probably automatically, via auto
> > discovery. Clients are trivial.
> ... and that is EXACTLY the biggest problem with
On Sat, 2012-03-31 at 19:52 +0200, Tilman Schmidt wrote:
> Am 31.03.2012 17:37, schrieb Les Mikesell:
> > On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel wrote:
> >> So, before you do anything else, set up proper incoming and outgoing IPv6
> >> port filtering rules on your perimeter routers. It will
Hi Lee,
> How do applications choose the correct outbound address in that
> scenario? That has always been a problem when using multiple ipv4
> addresses on the same interface in combination with firewalling, etc.
> where the source address matters.
that problem hasn't changed too much from IPv
On Sat, Mar 31, 2012 at 3:24 PM, Peter Eckel wrote:
>
>> If the addresses are auto-discovered, how are you supposed to be able to
>> configure filtering rules for what you want to let through?
>
> very simply.
>
> 1. Each interface on an IPv6 enabled machine has several addresses. One of
> them
Hi Lee,
> If the addresses are auto-discovered, how are you supposed to be able to
> configure filtering rules for what you want to let through?
very simply.
1. Each interface on an IPv6 enabled machine has several addresses. One of them
is the autoconfigured address, one is the (a) Privacy
Am 31.03.2012 17:37, schrieb Les Mikesell:
> On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel wrote:
>>
>> So, before you do anything else, set up proper incoming and outgoing IPv6
>> port filtering rules on your perimeter routers. It will save you a hell of a
>> headache.
>
> If the addresses are
On Saturday, March 31, 2012 06:44:38 AM Adam Tauno Williams wrote:
> > We've been running out of IPV4 address and needing to convert someday
> > soon for the last 10 years..., but yet the vast majority of broadband
> > providers and even most ISP's don't support it yet.
> You've got another couple
On Sat, Mar 31, 2012 at 11:37 AM, Les Mikesell wrote:
> On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel wrote:
> >
> >> And recent computer or distributions is sitting their quietly waiting
> >> for it's IPv6 address to arrive - probably automatically, via auto
> >> discovery. Clients are trivial.
On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel wrote:
>
>> And recent computer or distributions is sitting their quietly waiting
>> for it's IPv6 address to arrive - probably automatically, via auto
>> discovery. Clients are trivial.
>
> ... and that is EXACTLY the biggest problem with IPv6.
>
> 'I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Adam,
> And recent computer or distributions is sitting their quietly waiting
> for it's IPv6 address to arrive - probably automatically, via auto
> discovery. Clients are trivial.
... and that is EXACTLY the biggest problem with IPv6.
'Introd
On 3/31/2012 6:44 AM, Adam Tauno Williams wrote:
>> We've been running out of IPV4 address and needing to convert someday
>> soon for the last 10 years..., but yet the vast majority of broadband
>> providers and even most ISP's don't support it yet.
>
> You've got another couple of months. I belie
> We've been running out of IPV4 address and needing to convert someday
> soon for the last 10 years..., but yet the vast majority of broadband
> providers and even most ISP's don't support it yet.
You've got another couple of months. I believe most U.S. network
providers have agreed to a 'flag
On Fri, 2012-03-30 at 14:23 -0400, Bob Hoffman wrote:
> I imagine some day in the near future there will be a switch to ipv6.
A long way off; for a long time things will be dual-stack. It isn't
either IPv4 or IPv6, they coexist just fine.
> I cannot imagine ever remembering the ip address then.
Am 30.03.2012 20:23, schrieb Bob Hoffman:
> I imagine some day in the near future there will be a switch to ipv6.
Wrong. There will be no switch. IPv6 is just being added while
IPv4 continues to function. Both will coexist for a long time yet.
> I cannot imagine ever remembering the ip address th
On 03/30/2012 11:23 AM, Bob Hoffman wrote:
> I imagine some day in the near future there will be a switch to ipv6.
> I cannot imagine ever remembering the ip address then...crazy.
>
> My question, since i have never done ip6 stuff, is what does that mean
> on my webservers?
>
> Would I just need t
On Fri, Mar 30, 2012 at 02:23:55PM -0400, Bob Hoffman wrote:
> My question, since i have never done ip6 stuff, is what does that mean
> on my webservers?
For modern software, not too much, really!
> Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges,
> and configuration fil
I imagine some day in the near future there will be a switch to ipv6.
I cannot imagine ever remembering the ip address then...crazy.
My question, since i have never done ip6 stuff, is what does that mean
on my webservers?
Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges,
32 matches
Mail list logo
