[ale] IPv6 has NAT, now.

Jim Lynch ale_nospam at fayettedigital.com
Mon Dec 10 15:20:01 EST 2012


On 12/10/2012 12:37 PM, Scott Plante wrote:
> I've done some reading on IPv6 and found a lot about how addressing 
> works and how various commands are modified for IPv6, but I haven't 
> found a good overview of how networks will be setup under IPv6 vs 
> IPv4.  I get that there are a lot of ways you *can* setup networks 
> under v4 or v6, but most v4 networks are setup with 0, 1, or a few 
> public addresses, NAT, and each device getting a private address. Do 
> you envision one predominate scheme for v6 networks? Will it be 
> this--or if not, what?
>
> - Each private nework will be allotted a large supply of public addresses
> - DHCP will continue to give out addresses, but now they will be from 
> the supply of public addresses.
> - The firewall will generally allow or deny traffic to these public 
> addresses, rather than translating from a given public address to a 
> private address (for, say, a mail or web server).
> - When you make a request from your PC to a public web server, they 
> would see your one public IPv6 address, rather than the IP of the 
> firewall as they do now. The firewall would allow return traffic from 
> the webserver to this otherwise blocked IP, rather than translating 
> the response back to your private IP as it does now.
> - What about VPN connections?
>
> For servers, do you see assigning one address as it's permanent 
> internal address, and another as it's "service" address? For example, 
> if we're replacing a mail server, we might currently set up the new 
> server with a new internal address, and at cutover time, just change 
> the firewall to direct the external mail server address to the new 
> mail server's internal address, leaving the old server accessible 
> internally for a while. We could currently just reassign the internal 
> IPs at switchover time. I suppose IPv6 NAT could allow you to pick one 
> address for each service, then NAT it through to a different address 
> that's currently providing that service. You could accomplish the same 
> thing, more or less, by assigning the service address to the device 
> currently providing the service in addition to a separate "permanent" 
> address for the device. Of course, if you plan in advance, you could 
> just bring your DNS TTL down to a short period and change the address 
> there, but that always seems to cause problems.
>
> I guess what I'm asking (and maybe a lot of this is yet to be 
> determined) is has anyone come across a sort of "best practices" guide 
> for setting up IPv6 networks with regard to these kinds of issues?
>
> Scott
> ------------------------------------------------------------------------
>
Great questions.  I've been wondering about the same issues.

Jim.


More information about the Ale mailing list