Is IPv6 actually desirable? (rfcat_vk)

Hi Wayne,

I am not an expert on IPv6.

The following are my observations as a home user and experimenter. IPv6 has built-in security which IP4 does not have (a search is required for specifics). Your ISP does not need to run CGNAT when using IPv6. My mobile phone provider has migrated to IPv6 only within its network and uses translators (whatever) to provide IP4 traffic to the greater world.

IPv6 NAT appears to be used when the firewall device does not fully support IPv6 features, compare the UTM with XG for example. Using your example of the VPN, if you have an external address (DNS) then the protocol should be hidden from your user and selected by the connections setup software. When your ISP/RSP moves to tIPv6 only traffic and you are in an IP4 only network then I would expect that your ISP/RSP would have translation gateway into their IPv6 network.

IPv6 was not designed with a NAT function, this was only added after to accommodate the lazy companies. You can accomodate both NAT and none Nat'ed traffic on your firewall. I haven't worked out how to setup hairpin in IPv6 because I don't have the ability to not use NAT.

Ian

Looking at IPv6 from an administrator's point of view, security requirement is a lot more work in configuration and management because your devices end up with at least two real addresses and a link local address unless you use static addressing. User management then comes into play to control access to the internet and application type filtering.

As a followup, I can't resist trying, even though on the whole it looks like IPv6 for home use -- for everyone except someone with multiple servers of the same time -- is probably a slight net negative...

So I got an IPv6 from Hurricane Electric and 6in4 tunnel to them. It took quite a while to get it working because I did too much: in addition to the tunnel, I also thought I had to do things with the Interface/Gateway. Nope, just needed to set up the tunnel, and everything works.

Well, I of course had to set up an RA with the /64 that HE gave me, and add the static route (::/0 to the tunnel, which I think is right), and firewall rules to allow traffic, but no NAT (which I guess only applies to gateways, not tunnels). And assign a static IPv6 to my LAN interface.

Observations so far:

1. So far I'm finding that you can enter IPv6 IPs in some fields that are wide enough to show only IPv4 addresses, etc. So don't be fooled by the field width.

2. No GeoIP blocking because no countries defined for IPv6. Not sure if this is possible in the IPv6 world and just not done by Sophos yet, or if it's not possible. Doesn't accomplish that much -- in my experience -- in IPv4 Land, so more of a nit to pick.

3. Multiple addresses per device and no NAT is elegant. But it's also harder to get my head around how to create things like clientless devices to have rules apply to individual devices. Mainly thinking about things like exempting a particular machine from TLS decryption, or traffic shaping to prioritize a machine, or allowing a particular machine to route to a VLAN that is otherwise off-limits.

As I understand SLAAC, for example, each device has an link-level IP, and two IPs in the RA prefix: one for "client-like" outbound that changes every 24 hours or so, and one for "server-like" inbound that is, like the link-level, fairly stable.

So I can see for servers and inbound rules/policies, fairly straightforward to handle either via IP, or name, or clientless user, etc. But that's a tiny minority of my use case. I'm more concerned with outbound stuff, which is going to use unstable (even ephemeral) IPs. Not sure how to manage that at all.

[EDIT: Cisco's documentation says that the DUID is the lowest-numbered MAC address for the device (if it has multiple interfaces), and it appears the the Sophos DHCPv6 server accepts a MAC address in the DUID field for static addresses. Haven't tested it yet.]

4. Only been using it less than a day, but so far IPv6 traffic is about 1/3 and IPv4 is about 2/3.

As a followup, I can't resist trying, even though on the whole it looks like IPv6 for home use -- for everyone except someone with multiple servers of the same time -- is probably a slight net negative...

So I got an IPv6 from Hurricane Electric and 6in4 tunnel to them. It took quite a while to get it working because I did too much: in addition to the tunnel, I also thought I had to do things with the Interface/Gateway. Nope, just needed to set up the tunnel, and everything works.

Well, I of course had to set up an RA with the /64 that HE gave me, and add the static route (::/0 to the tunnel, which I think is right), and firewall rules to allow traffic, but no NAT (which I guess only applies to gateways, not tunnels). And assign a static IPv6 to my LAN interface.

Observations so far:

1. So far I'm finding that you can enter IPv6 IPs in some fields that are wide enough to show only IPv4 addresses, etc. So don't be fooled by the field width.

2. No GeoIP blocking because no countries defined for IPv6. Not sure if this is possible in the IPv6 world and just not done by Sophos yet, or if it's not possible. Doesn't accomplish that much -- in my experience -- in IPv4 Land, so more of a nit to pick.

3. Multiple addresses per device and no NAT is elegant. But it's also harder to get my head around how to create things like clientless devices to have rules apply to individual devices. Mainly thinking about things like exempting a particular machine from TLS decryption, or traffic shaping to prioritize a machine, or allowing a particular machine to route to a VLAN that is otherwise off-limits.

As I understand SLAAC, for example, each device has an link-level IP, and two IPs in the RA prefix: one for "client-like" outbound that changes every 24 hours or so, and one for "server-like" inbound that is, like the link-level, fairly stable.

So I can see for servers and inbound rules/policies, fairly straightforward to handle either via IP, or name, or clientless user, etc. But that's a tiny minority of my use case. I'm more concerned with outbound stuff, which is going to use unstable (even ephemeral) IPs. Not sure how to manage that at all.

[EDIT: Cisco's documentation says that the DUID is the lowest-numbered MAC address for the device (if it has multiple interfaces), and it appears the the Sophos DHCPv6 server accepts a MAC address in the DUID field for static addresses. Haven't tested it yet.]

4. Only been using it less than a day, but so far IPv6 traffic is about 1/3 and IPv4 is about 2/3.

Hi Wayne,

keep experimenting.

CLientless users require you to setup static IP addressing in the XG DHCP server, then assign the addressing the clientless server tab. The XG DHCP implementation is a bit of a pain because you need to create a new name for each address assignment. Then create a group for the clientless users then assign the the groups in the firewall rules.

GEIP does work in IP4 but not all the blocked country sites use their home IP addressing, some use servers in Azure etc which becomes a bit os a pain to manage.

The DUID is a bit of a pain, at least on my XGs because you cannot capture the entire DUID to add to the static address assignment.

Ian

Clientless users also work with SLAAC -- if you care only about incoming -- if you get the stable IPv6 address and enter that in the clientless user table. That doesn't catch the dynamic (outgoing) addresses, which is actually more important to me.

Do you know how the DHCPv6 assignments (dynamic & static) interact with the client to give both stable and temporary (global, routable) IPv6 addresses? That is, does it totally replace SLAAC above the link-level (which I assume still get's generated by SLAAC)?

Also, I would suggest that Sophos implement a checkbox for dynamic DHCPv6 such that it randomly selects addresses from within the dynamic range (that are not already used). It one-up numbers them as DHCPv4 does, but dynamic DHCPv4 addresses are mostly hidden by NAT, while dynamic DHCPv6 addresses will be visible to the outside world and if you want to make scanning harder, they should scatter around the range randomly.

The only saving grace of the DUID display is that the last octet is simply the first octet of the MAC, which is in the previous column. So you can piece it together from the two halves, but...