This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is IPv6 actually desirable? (rfcat_vk)

I've tried to follow rfcat_vk's excellent documentation of the current state of IPv6 in SFOS. And I've been feeling like I'm missing out that my ISP doesn't offer IPv6 (they've said "coming soon" for a year now, maybe more). But the more I look into it, the less benefit I see. I almost don't want it to drop at this point.

It avoids NAT, but NAT doesn't really slow things down and the only IPv4 workaround I'm familiar with that I need is SIP ALG (which in SOFOS appears to work well). With most all critical communications using TLS, it doesn't seem like IPv6 actually adds much for security. In fact, it seems like a security wash in some ways with ICMP becoming so critical to IPv6 working.

It provides a little tracking advantage with the ability to have different, changing IP addresses for each machine that communicates with the outside world. Which is cool.

But at a minimum, I'd have to run the XGS in dual-stack mode indefinitely. For example, I have a VPN and I may need to reach it from an area or an ISP that doesn't provide IPv6, so I'll need IPv4 for that pretty much until IPv4 is turned off in the Western Hemisphere.

My ISP will benefit from IPv6: smaller routing tables, etc. But it really doesn't feel like I have any real draw to get IPv6. An advantage here and there, a new adventure, but pretty much completely balanced out by disadvantages.

What am I not seeing? (Besides my ISP getting IPv6 and setting a deadline after which it won't support IPv4.)

Thanks!



This thread was automatically locked due to age.
Parents
  • Hi Wayne,

    I am not an expert on IPv6.

    The following are my observations as a home user and experimenter. IPv6 has built-in security which IP4 does not have (a search is required for specifics). Your ISP does not need to run CGNAT when using IPv6. My mobile phone provider has migrated to IPv6 only within its network and uses translators (whatever) to provide IP4 traffic to the greater world.

    IPv6 NAT appears to be used when the firewall device does not fully support IPv6 features, compare the UTM with XG for example. Using your example of the VPN, if you have an external address (DNS) then the protocol should be hidden from your user and selected by the connections setup software. When your ISP/RSP moves to tIPv6 only traffic and you are in an IP4 only network then I would expect that your ISP/RSP would have translation gateway into their IPv6 network.

    IPv6 was not designed with a NAT function, this was only added after to accommodate the lazy companies. You can accomodate both NAT and none Nat'ed traffic on your firewall. I haven't worked out how to setup hairpin in IPv6 because I don't have the ability to not use NAT.

    Ian

    Looking at IPv6 from an administrator's point of view, security requirement is a lot more work in configuration and management because your devices end up with at least two real addresses and a link local address unless you use static addressing. User management then comes into play to control access to the internet and application type filtering.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Doesn’t sound compelling, and It feels like the that last little gasp of IPv4 (like my example of IPv4 remote VPNing into my otherwise entirely IPv6 network) is very complex. So I really want it from the “it’s cool, it’s the future” gut feeling, but it may not happen in my lifetime.

Reply
  • Doesn’t sound compelling, and It feels like the that last little gasp of IPv4 (like my example of IPv4 remote VPNing into my otherwise entirely IPv6 network) is very complex. So I really want it from the “it’s cool, it’s the future” gut feeling, but it may not happen in my lifetime.

Children
  • In theory your VPN connection would not be an issue because either end would have a IP4 to IPv6 gateway which would be transparent to you.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Probably a bigger issue is the devices that will not work in an ipv6 only environment eg sophos APX, iot devices etc.

    ian 

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I believe transparent can mostly work, but it would involve a CGNAT-ish step by my ISP which I wonder if it would have some of the negative side effects of current IPv4 CGNAT. Maybe not, as long as everything else could bypass that step with direct IPv6.

    I'd have to look more closely at my IoT devices. I've left some of the most primitive behind with a switch to 5GHz WiFi only on the APX. If the APX itself can't handle IPv6, hmmm... on the other hand, Sophos might be aiming for IPv6 to correspond with the new APX's coming up. I will probably upgrade to a WiFi 6e AP next year (though probably only my phone will support the 6GHz at the start).