[OpenIndiana-discuss] How to deal with IPV4/6 as a router

[Kristoff Bonne]

Hi Gary,



On 06-06-12 21:29, Gary Gendel wrote:
> My Home OI box currently serves as my router/gateway to my ISP.
>
> Under IPV4 I have
>
> Cable Modem <-> bge0 <-> ipfilter/nat <-> bge1 <-> network.
>
> My ISP has turned on IPV6 and I can get as many addresses as I want.  
> However, some of my devices aren't ipv6 capable so I have to deal with 
> a mix of ipv4 and ipv6 addresses until these are retired.
> I turned on ipv6 on bge0 and have both an ipv4 and ipv6 address.  I 
> also can run the ipv6 test (test-ipv6.com) perfectly.
>
> The question is: How do I set up things so it works with my internal 
> devices?  It seems that All I want to do is to leave the ipv4 setup as 
> I have it now and pass all ipv6 packets (discovery, etc.) from bge0 to 
> bge1 (and visa versa).  This way my ISP will provide ipv6 addresses to 
> those devices that ask for one.
Normal "procedure" for IPv6 (at least as proposed by the RIPE for its 
region) is to provide a /64 for the link between the ISP and the CPE 
(customer router) and a /56 or a /48 to the customer for her own network.

If you have a DSL connection, the information of your network is 
provided over PPPoE, but I don't know how it is done over an ethernet 
modem. Ask your ISP what is your private LAN.


I would not advice simply bridging all traffic between the two networks 
as -unless you have a firewall that can inspect bridged ipv6 traffic- 
you place all your ipv6 enabled devices unprotected on the internet.

In the logic of ipv6 (actually, the logic of the internet before it got 
"corrupted" by NAT :-) ), all hosts have a globally unique IP-address 
(so are "addressable") but that does not mean they should be "accessable".
Either you must then install a firewall on your router, or you must rely 
on the security in the device.

As for a lot of devices you have no idea of the software or 
network-firmware is to be trusted, it is adviced to use a firewall on 
the edge of your network that -by default- blocks all incoming traffic, 
except for return traffic of an outgoing stream or towards anything you 
explicitely accept.




> Or should I provide a "private" ipv6 address space for my LAN? This 
> doesn't seem to be in the spirit of ipv6, but it will provide me more 
> firewall control of traffic in and out of the network and provide 
> "static" addresses to my hosts.
You can, but then you would need to do ipv6 NAT on your router for them 
to access the network.


However, what you can do (and what I also do) it to provide both global 
ip-addresses and "Unique Local" (ipv6 speak for "private" addresses, 
e.g. fc00::/64) to your devices. That way, your devices then have both a 
kinds of address.
You can then set up firewall rules in your devices that you provide 
access to certain services only from fc00::// addresses, but not from an 
IP-address that comes from outside your own network.


Anycase, another reason to set up a RADVD server to hand out 
Unique-local addresses is to have an idea exactly what devices on your 
network actually are ipv6 enabled and which are not. Sniff your network 
from your router-box and look what devices do respond to the router 
advertisement messages! (normally, they should do duplicate address 
queries for their address to make sure nobody else if already using that 
address).


> Gary
Cheerio! Kr. Bonne.