US Cable Support > Comcast HSI > [IPv6] Benefits of IPv6

reply to magamiako

Re: [IPv6] Benefits of IPv6

Easy:

In my virtualized environments typically I'll be testing things such as DHCPv6, Dynamic DNS updates, and general Microsoft-related things with IPv6 moving forward.

Unfortunately, my home LAN uses SLAAC which directly conflicts with the DHCP model. Because I don't want to uproot the entire home LAN to handle my often temporary VM networks I have to use another subnet to make that happen.

This is pretty standard behavior even in IPv4. If you build a Microsoft DHCP/DNS/AD environment out you'll encounter conflicts with the broadcasts. In IPv6's case, it's conflicts with the router advertisements and host configuration.

Under current VM solutions NAT is usually used to solve this purpose. You either use the built-in NAT for the product or you'll configure a single device to act as a NAT router with 1 bridged adapter and 1 host-only adapter.

Under IPv6 you really can't/shouldn't be using NAT and should limit its usage to as little as possible as there's really no need anymore. NAT was used to help mitigate the shortage of IPv4 addresses by allowing you to use all internal IP addressing while sharing comparatively fewer publicly routable IPv4 addresses.

This requires having more than a single /64 available to you.

Keep in mind: Many things break if you go below a /64 per subnet. IPv6 is NOT designed to do something like a /80, or /96, or anything of that nature.

NAT also causes more problems than it's worth.

What do you do, for example, with the fact that nearly every home device leverages a 192.168.1.0/24 subnet and you want to use VPNs to connect two networks that share this subnet and the services you want to share don't play well with NAT?

Say I've got 2 small business networks with MS AD and I want to merge them to make management and authentication easier? But both offices had the "local tech guy" come install your typical Linksys device?

With properly routable IPv6 GUA or even ULA space this becomes a non-issue. As of right now the above scenario requires re-iping the LANs to make them more compatible. It's a problem very specific to the implementation of NAT because every individual device will always assume it's the only network ever to exist.

This scenario works for a whole lot of homes and businesses, but not for any, and makes merging them require far more effort than it would take in a proper v6 world.

reply to magamiako

reply to magamiako
OK, I think I understand better. I think I have an "advanced" home network but I don't do any subnetting or network testing. Well, rarely in any case. I do run VMs but they are bridged to the main network with DHCP rather than on any subnet. So, for me, a /64 should be fine, right? Each host device (even virtual) will have it's own unique address on my /64. So when I run Windows 7 under Parallels it will have a reachable IPV6 address on the 'net based off my /64? No NAT.

Are there any complications that a similar home network setup could run into problems on a /64? Seems like Comcast could offer a /60 for those with minimal needs and less(more?) for others. It seems like a /64 would be fine for the great majority of home networks. Are there arguments against this?

One does wonder where pricing fits into this.
--
Old dogs can learn new tricks!

reply to AVonGauss
Yes, you could use ULA instead of GUA for some of my tests, but this still doesn't solve the need that my hosts and testing MAY need internet access.

Remember, no NAT.

reply to magamiako

reply to AVonGauss

With examples such as DHCP used, I'm really thinking he wants (and probably has) effectively a host only network setup today and that would be also be what he would want in an IPv6 world.

reply to ctgreybeard
Yeah, this works, but imagine situations in the more "connected" home? Technology is expanding outward from where they were before. What you think is "more than enough" now may not be more than enough in the future.

Perhaps I want a home security system in my house with all IP-connected cameras? Maybe I don't want the cameras easily discovered? Perhaps the cameras need a different set of configuration requirements than the PC devices in your home?

What about embedded systems and smart homes? Do you really want all of the lights and ventilation systems on the same network as your tablets and your laptops? You'll still want a system to be reachable, of course, which means you'll need SOME sort of IP-enabled device.

»www.nxp.com/campaigns/greenchip/···lighting IP enabled light bulbs.

reply to AVonGauss
In the proposed IPv6 world, yes....but there are quite a few that are pushing for NAT because it's "all they know"...

NAT obscures the need to have multiple routed private networks by allowing you to simply mask networks behind individual host addresses.

Remove that obscurity and now you have a need for multiple routed networks in the IPv6 world, which is what I was getting at.

reply to magamiako
Why would I want security cameras, smart home devices or other IP-enabled devices to have a separately globally routable network (not address, network) in a home environment? People want to just plug it in or attach it to their wireless network and have it just work - most can't even be bothered to change their wireless SSID or establish a password.

Gloablly routed does not mean globally reachable, but it *could* mean that, if you wanted it so.

Perhaps said infrastructure does automatic firmware updates? Perhaps it's controlled by a controller box that needs to reach the internet for updates?

Who knows. Perhaps you want to be able to sit at the office and rotate a camera around to monitor a different area of your driveway?

I don't know, the applications and possibilities are endless.

The same could be said about mobile devices. Why the hell would you carry around a device that allows you to access work-related e-mail from anywhere?

It's all in a matter of thinking here...And our networking infrastructure SHOULD NOT be limited by peoples' inability to see the future of network attached devices.

Long story short, this is why I chose the virtualization example earlier. I need those devices to be able to connect to the internet, whether it be for security and patch updates, to testing entire OS upgrades. Because of that, those devices need a routed address.

Which means I need that network for the VMs to be GUA, pulled directly from my /48(/56?) from my ISP, otherwise those devices won't ever be able to access the internet.

reply to magamiako

Again, it comes down to the configuration and whether or not you want to firewall the networks from each other.

Under your model every device would be treated equally under a firewall. Remember, firewalls control access between networks, not devices. Are you also going to build manageable firewalls into every single one of your devices?

So if you don't want the lights to be "globally reachable" from unsolicited incoming connections, but still need said devices to reach the internet *for any reason*, you need to be able to divide your networks up, drop a firewall in between them, and have at it.

A central firewall (i.e. right after the cable modem) can control access by device just as easily as it can by "network". Besides, I doubt you want to totally isolate those "smart lights", I may just want to control them from my "smart phone".

While I'm sure plenty of intelligent discussions have taken place behind closed doors at companies like Cisco, Netgear and Comcast, I have not personally seen a good strategy presented for implementing IPv6 security in consumer targeted gateways and routers. The mechanics is simple, but the presentation is difficult because on one hand you don't want to allow anything unexpected, but at the same time you want the plug and play capability.

This is assuming you want to statically assign every single device.

The mechanics have been implemented for years.

Implementing security in those devices *already exists*. Cisco and Juniper have had IPv6-capable devices for many years. I power my network with a Juniper SSG5, and before that I had a NetScreen 5GT (EOL'd in 2009) that had full IPv6 security and capabilities.

In fact, implementing proper security is easier than implementing NAT solutions.

Regardless, this conversation is pointless to move forward until you read up on CCNA and JNCIA-Security certs.

I'm not reinventing the wheel here. The knowledge I'm explaining is *very* basic network design and management, and it's already been implemented. There is no real fundamental difference between v4 and v6 network design from a routing perspective EXCEPT the reduction in the usage of NAT technologies.

reply to AVonGauss

reply to magamiako