Re: IPv6 - a noobs prespective

[Owen DeLong <owen () delong com>]

On Feb 9, 2011, at 3:00 AM, Robert Lusby wrote:

> As part of my role, I'm responsible, for a small (20 - 25 machine) network
> in the UK.
>
> When it comes to IPv6 I'm a complete noob. So ok - this is how I stand for
> IPv6:
>
> I "get" IPv4, I get NAT, I get why it's needed, and I get why it's evil.
>
> I know my IPv4 network inside and out, how DHCP runs and assigns addresses,
> how that ties in with our VPN, how everything gets channeled via the NAT to
> our ISP etc ...
>
> I also get why we need IPv6, that it means removing the NAT (which, surprise
> surprise also runs our Firewall), and I that I might need new kit for it.
Well, I'll question that a little bit.

I think your Firewall, in addition to translating addresses (NAT) also filters
packets. Would that, perhaps, be a more accurate description?

Most firewalls (other than trivial home gateways) can do all the stateful inspection
(the actual packet filtering and state-table stuff) without having to do NAT.

If it supports IPv6 at all, it should be ready to do that without needing new kit.

If it doesn't support IPv6 at all, then, yes, you needed new kit anyway, no?

Personally, I'm pretty happy with the SRX-series kit from Juniper. It's pretty
inexpensive and has most of the IPv6 features you are likely to need, including
stateful inspection without NAT for IPv6 and with NAT for IPv4.

> I am however *terrified* of making that move. There is so many new phrases,
> words, things to think about etc
>
> I want to, I'm keen to, and I know we have to, move to IPv6 - but at the
> moment it just seems so complicated - not least without affecting any IPv4
> stuff.
Build a test lab and start experimenting. You'll find that for the most part, it's
just 96 more bits and very little magic.

Owen