Re: /27 the new /24

[Mel Beckman <mel () beckman org>]

I recommend any of a number of online courses for a quick understanding of IPv6. But nothing beats making your own IPv6 
lab and getting hands-on experience. Here's a course I built walking you through that process:

http://windowsitpro.com/build-your-own-ipv6-lab-and-become-ipv6-guru-demand

 -mel beckman

> On Oct 4, 2015, at 7:49 AM, Stephen Satchell <list () satchell net> wrote:
>
> > On 10/04/2015 06:40 AM, Matthias Leisi wrote:
> > Fully agree. But the current state of IPv6 outside "professional“
> > networks/devices is sincerely limited by a lot of poor CPE and
> > consumer device implementations.
>
> I have to ask:  where is the book _IPv6 for Dummies_ or equivalent?
>
> Specifically, is http://www.xnetworks.es/contents/Infoblox/IPv6forDummies.pdf any good? (I just downloaded it to 
> inspect.)
>
> My bookshelf is full of books describing IPv4.  Saying "IPv6 just works" ignores the issues of configuring 
> intelligent firewalls to block the ne-er-do-wells using the new IP-level protocol.
>
> In Robert L. Ziegler's book _Linux Firewalls_ Second Edition (2002, ISBN 0-7357-1099-6), the *only* mention of IPv6 
> is in the discussion of NAT, and that discussion is limited to "NAT is a stopgap until IPv6 achieves wide 
> implementation.  A preview of the Third Edition fails to mention ip6tables at all, the same lack that the Second 
> Edition has.
>
> I use CentOS, the community version of Red Hat Enterprise.  I looked around for useful books on building IPv6 
> firewalls with the same granularity as the above-mentioned book for IPv4, and haven't found anything useful as yet.  
> In particular, I'm looking for material that lays out how to build a mostly-closed firewall and DMZ in IPv6.  The 
> lack of IPv6 support goes further:  I didn't find anything useful in Red Hat (CentOS) firewall tools that provides 
> IPv6 support...but that's probably because I don't know what I'm looking for.  (Also, that GUI software is intended 
> for use on individual servers/computers, not in a edge-firewall with forwarding and DMZ responsibilities.)
>
> Building a secure firewall takes more than just knowing how to issue ip6table commands; one also needs to know 
> exactly what goes into those commands.  NANOG concentrates on network operators who need to provide a good Internet 
> experience to all their downstream customers, which is why I see the bias toward openness...as it should be.  Those 
> of us who run edge networks have different problems to solve.
>
> I'm not asking NANOG to go past its charter, but I am asking the IPv6 fanatics on this mailing list to recognize 
> that, even though the net itself may be running IPv6, the support and education infrastructure is still behind the 
> curve.  Reading RFCs is good, reading man pages is good, but there is no guidance about how to implement end-network 
> policies in the wild yet...at least not that I've been able to find.
>
> "ipv6.disable" will be changed to zero when I know how to set the firewall to implement the policies I need to keep 
> other edge networks from disrupting mine.