[ale] IPv6 has NAT, now.
Scott Plante
splante at insightsys.com
Wed Oct 1 12:33:02 EDT 2014
This is actually a question from 2012. No one answered then and I'm still in the same place. Has anyone found or come up with IPv6 "best practices"?
*-*-*-*
I've done some reading on IPv6 and found a lot about how addressing works and how various commands are modified for IPv6, but I haven't found a good overview of how networks will be setup under IPv6 vs IPv4. I get that there are a lot of ways you *can* setup networks under v4 or v6, but most v4 networks are setup with 1, or a few public addresses, NAT, and each device getting a private address. Do you envision one predominate scheme for v6 networks? Will it be this--or if not, what?
- Each private nework will be allotted a large supply of public addresses
- DHCP will continue to give out addresses, but now they will be from the supply of public addresses.
- The firewall will generally allow or deny traffic to these public addresses, rather than translating from a given public address to a private address (for, say, a mail or web server).
- When you make a request from your PC to a public web server, they would see your one public IPv6 address, rather than the IP of the firewall as they do now. The firewall would allow return traffic from the webserver to this otherwise blocked IP, rather than translating the response back to your private IP as it does now.
- What about VPN connections?
For servers, do you see assigning one address as it's permanent internal address, and another as it's "service" address? For example, if we're replacing a mail server, we might currently set up the new server with a new internal address, and at cutover time, just change the firewall to direct the external mail server address to the new mail server's internal address, leaving the old server accessible internally for a while. We could currently just reassign the internal IPs at switchover time. I suppose IPv6 NAT could allow you to pick one address for each service, then NAT it through to a different address that's currently providing that service. You could accomplish the same thing, more or less, by assigning the service address to the device currently providing the service in addition to a separate "permanent" address for the device. Of course, if you plan in advance, you could just bring your DNS TTL down to a short period and change the address there, but that always seems to cause problems.
I guess what I'm asking (and maybe a lot of this is yet to be determined) is has anyone come across a sort of "best practices" guide for setting up IPv6 networks with regard to these kinds of issues?
Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20141001/7e1ec2d4/attachment.html>
More information about the Ale
mailing list