Is IPv6 actually desirable? (rfcat_vk)

I've tried to follow rfcat_vk's excellent documentation of the current state of IPv6 in SFOS. And I've been feeling like I'm missing out that my ISP doesn't offer IPv6 (they've said "coming soon" for a year now, maybe more). But the more I look into it, the less benefit I see. I almost don't want it to drop at this point.

It avoids NAT, but NAT doesn't really slow things down and the only IPv4 workaround I'm familiar with that I need is SIP ALG (which in SOFOS appears to work well). With most all critical communications using TLS, it doesn't seem like IPv6 actually adds much for security. In fact, it seems like a security wash in some ways with ICMP becoming so critical to IPv6 working.

It provides a little tracking advantage with the ability to have different, changing IP addresses for each machine that communicates with the outside world. Which is cool.

But at a minimum, I'd have to run the XGS in dual-stack mode indefinitely. For example, I have a VPN and I may need to reach it from an area or an ISP that doesn't provide IPv6, so I'll need IPv4 for that pretty much until IPv4 is turned off in the Western Hemisphere.

My ISP will benefit from IPv6: smaller routing tables, etc. But it really doesn't feel like I have any real draw to get IPv6. An advantage here and there, a new adventure, but pretty much completely balanced out by disadvantages.

What am I not seeing? (Besides my ISP getting IPv6 and setting a deadline after which it won't support IPv4.)

Thanks!



Edited Settings
[edited by: emmosophos at 7:16 PM (GMT -7) on 16 May 2022]
  • Hi Wayne,

    I am not an expert on IPv6.

    The following are my observations as a home user and experimenter. IPv6 has built-in security which IP4 does not have (a search is required for specifics). Your ISP does not need to run CGNAT when using IPv6. My mobile phone provider has migrated to IPv6 only within its network and uses translators (whatever) to provide IP4 traffic to the greater world.

    IPv6 NAT appears to be used when the firewall device does not fully support IPv6 features, compare the UTM with XG for example. Using your example of the VPN, if you have an external address (DNS) then the protocol should be hidden from your user and selected by the connections setup software. When your ISP/RSP moves to tIPv6 only traffic and you are in an IP4 only network then I would expect that your ISP/RSP would have translation gateway into their IPv6 network.

    IPv6 was not designed with a NAT function, this was only added after to accommodate the lazy companies. You can accomodate both NAT and none Nat'ed traffic on your firewall. I haven't worked out how to setup hairpin in IPv6 because I don't have the ability to not use NAT.

    Ian

    Looking at IPv6 from an administrator's point of view, security requirement is a lot more work in configuration and management because your devices end up with at least two real addresses and a link local address unless you use static addressing. User management then comes into play to control access to the internet and application type filtering.

    XG115W - v19 GA - Home

    1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.

    If a post solves your question please use the 'Verify Answer' button.

  • Doesn’t sound compelling, and It feels like the that last little gasp of IPv4 (like my example of IPv4 remote VPNing into my otherwise entirely IPv6 network) is very complex. So I really want it from the “it’s cool, it’s the future” gut feeling, but it may not happen in my lifetime.

  • In theory your VPN connection would not be an issue because either end would have a IP4 to IPv6 gateway which would be transparent to you.

    Ian

    XG115W - v19 GA - Home

    1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.

    If a post solves your question please use the 'Verify Answer' button.

  • Probably a bigger issue is the devices that will not work in an ipv6 only environment eg sophos APX, iot devices etc.

    ian 

    XG115W - v19 GA - Home

    1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.

    If a post solves your question please use the 'Verify Answer' button.

  • I believe transparent can mostly work, but it would involve a CGNAT-ish step by my ISP which I wonder if it would have some of the negative side effects of current IPv4 CGNAT. Maybe not, as long as everything else could bypass that step with direct IPv6.

    I'd have to look more closely at my IoT devices. I've left some of the most primitive behind with a switch to 5GHz WiFi only on the APX. If the APX itself can't handle IPv6, hmmm... on the other hand, Sophos might be aiming for IPv6 to correspond with the new APX's coming up. I will probably upgrade to a WiFi 6e AP next year (though probably only my phone will support the 6GHz at the start).

  • As a followup, I can't resist trying, even though on the whole it looks like IPv6 for home use -- for everyone except someone with multiple servers of the same time -- is probably a slight net negative...

    So I got an IPv6 from Hurricane Electric and 6in4 tunnel to them. It took quite a while to get it working because I did too much: in addition to the tunnel, I also thought I had to do things with the Interface/Gateway. Nope, just needed to set up the tunnel, and everything works.

    Well, I of course had to set up an RA with the /64 that HE gave me, and add the static route (::/0 to the tunnel, which I think is right), and firewall rules to allow traffic, but no NAT (which I guess only applies to gateways, not tunnels). And assign a static IPv6 to my LAN interface.

    Observations so far:

    1. So far I'm finding that you can enter IPv6 IPs in some fields that are wide enough to show only IPv4 addresses, etc. So don't be fooled by the field width.

    2. No GeoIP blocking because no countries defined for IPv6. Not sure if this is possible in the IPv6 world and just not done by Sophos yet, or if it's not possible. Doesn't accomplish that much -- in my experience -- in IPv4 Land, so more of a nit to pick.

    3. Multiple addresses per device and no NAT is elegant. But it's also harder to get my head around how to create things like clientless devices to have rules apply to individual devices. Mainly thinking about things like exempting a particular machine from TLS decryption, or traffic shaping to prioritize a machine, or allowing a particular machine to route to a VLAN that is otherwise off-limits.

    As I understand SLAAC, for example, each device has an link-level IP, and two IPs in the RA prefix: one for "client-like" outbound that changes every 24 hours or so, and one for "server-like" inbound that is, like the link-level, fairly stable.

    So I can see for servers and inbound rules/policies, fairly straightforward to handle either via IP, or name, or clientless user, etc. But that's a tiny minority of my use case. I'm more concerned with outbound stuff, which is going to use unstable (even ephemeral) IPs. Not sure how to manage that at all.

    [EDIT: Cisco's documentation says that the DUID is the lowest-numbered MAC address for the device (if it has multiple interfaces), and it appears the the Sophos DHCPv6 server accepts a MAC address in the DUID field for static addresses. Haven't tested it yet.]

    4. Only been using it less than a day, but so far IPv6 traffic is about 1/3 and IPv4 is about 2/3.

  • Hi Wayne,

    keep experimenting.

    CLientless users require you to setup static IP addressing in the XG DHCP server, then assign the addressing the clientless server tab. The XG DHCP implementation is a bit of a pain because you need to create a new name for each address assignment. Then create a group for the clientless users then assign the the groups in the firewall rules.

    GEIP does work in IP4 but not all the blocked country sites use their home IP addressing, some use servers in Azure etc which becomes a bit os a pain to manage.

    The DUID is a bit of a pain, at least on my XGs because you cannot capture the entire DUID to add to the static address assignment.

    Ian

    XG115W - v19 GA - Home

    1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.

    If a post solves your question please use the 'Verify Answer' button.

  • Clientless users also work with SLAAC -- if you care only about incoming -- if you get the stable IPv6 address and enter that in the clientless user table. That doesn't catch the dynamic (outgoing) addresses, which is actually more important to me.

    Do you know how the DHCPv6 assignments (dynamic & static) interact with the client to give both stable and temporary (global, routable) IPv6 addresses? That is, does it totally replace SLAAC above the link-level (which I assume still get's generated by SLAAC)?

    Also, I would suggest that Sophos implement a checkbox for dynamic DHCPv6 such that it randomly selects addresses from within the dynamic range (that are not already used). It one-up numbers them as DHCPv4 does, but dynamic DHCPv4 addresses are mostly hidden by NAT, while dynamic DHCPv6 addresses will be visible to the outside world and if you want to make scanning harder, they should scatter around the range randomly.

    The only saving grace of the DUID display is that the last octet is simply the first octet of the MAC, which is in the previous column. So you can piece it together from the two halves, but...

  • I'm also interested to see if anyone suggests something compelling that I've 'missed'

    I still see it as primarily a solution to deal with running out of IPv4 addresses. I just want to be able to switch over 'overnight' from IPv4 to IPv6 and not have to mess around with supporting a dual environment but so much is clearly not ready.

    i sometimes enjoy playing with the bleeding edge of technology. This is one area where I'll stay well clear until I'm forced to or all the players have their act together.

  • The current versions of XG cannot run on IPv6 only, when I last used a UTM, you could run on IPv6 only.

    IPv6 is not bleeding edge, it is over 20 years old eg older than the XG concept.

    Ian

    XG115W - v19 GA - Home

    1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.

    If a post solves your question please use the 'Verify Answer' button.