I've tried to follow rfcat_vk's excellent documentation of the current state of IPv6 in SFOS. And I've been feeling like I'm missing out that my ISP doesn't offer IPv6 (they've said "coming soon" for a year now, maybe more). But the more I look into it, the less benefit I see. I almost don't want it to drop at this point.
It avoids NAT, but NAT doesn't really slow things down and the only IPv4 workaround I'm familiar with that I need is SIP ALG (which in SOFOS appears to work well). With most all critical communications using TLS, it doesn't seem like IPv6 actually adds much for security. In fact, it seems like a security wash in some ways with ICMP becoming so critical to IPv6 working.
It provides a little tracking advantage with the ability to have different, changing IP addresses for each machine that communicates with the outside world. Which is cool.
But at a minimum, I'd have to run the XGS in dual-stack mode indefinitely. For example, I have a VPN and I may need to reach it from an area or an ISP that doesn't provide IPv6, so I'll need IPv4 for that pretty much until IPv4 is turned off in the Western Hemisphere.
My ISP will benefit from IPv6: smaller routing tables, etc. But it really doesn't feel like I have any real draw to get IPv6. An advantage here and there, a new adventure, but pretty much completely balanced out by disadvantages.
What am I not seeing? (Besides my ISP getting IPv6 and setting a deadline after which it won't support IPv4.)
I am not an expert on IPv6.
The following are my observations as a home user and experimenter. IPv6 has built-in security which IP4 does not have (a search is required for specifics). Your ISP…
I'm also interested to see if anyone suggests something compelling that I've 'missed'
I still see it as primarily a solution to deal with running out of IPv4 addresses. I just want to be able to switch over 'overnight' from IPv4 to IPv6 and not have to mess around with supporting a dual environment but so much is clearly not ready.
i sometimes enjoy playing with the bleeding edge of technology. This is one area where I'll stay well clear until I'm forced to or all the players have their act together.
The current versions of XG cannot run on IPv6 only, when I last used a UTM, you could run on IPv6 only.
IPv6 is not bleeding edge, it is over 20 years old eg older than the XG concept.
XG115W - v19 GA - Home
1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.
If a post solves your question please use the 'Verify Answer' button.
We have a different definition of bleeding edge.To me, something ceases to be bleeding edge when it is widely available in the products I use and solidly implemented. That clearly isn't the case ATM.
I don't think there's anything compelling unless you're in the middle ground of having a home lab with multiple servers of the same kind (say multiple web servers) that you want to expose to the outside world individually. If you move up a level, you could combine all of them behind something like nginx (I think) and still just DNAT port 80. But if they need to be separately accessible, IPv6 lets you expose all of them and then allow port 80 through to all of them.
Otherwise, I don't see any advantages for us end users. I think at least some of the advantages years ago have been overcome by circumstances and are no longer straight-up advantages.
Also, having a dual stack is not much more complicated than IPv6-only or IPv4-only, if at all. So basically, if my ISP goes IPv6-only or dual-stack, I'll follow their lead. (I figure a couple of key places I'd like to VPN back into the Sophos will be late in the switch to IPv6, so somebody, somewhere's gotta bridge the gap -- whether it's dual-stack or some kind of CGNAT-ish thing or whatever.
Your definition really has two parts to it: a) widely available in widely-available products, and b) solidly implemented. And I imagine that rfcat's definition of bleeding edge corresponds to your part B. In that sense in particular, IPv6 is not bleeding edge: it's had decades to iron out the kinks and it has solid implementations.
And one could argue that even in the sense of A, IPv6 isn't bleeding edge. Even consumer-brand routers support it. Every smartphone uses it. And so on. It's very widespread in terms of devices that can reliably handle it and you may not own a device that doesn't support it. (ISPs are another matter, as it IPv6-only versus dual-stack.)
So in your (and my) case, it's not available from ISPs that we have access to, which means we have to go to some trouble to use it and it doesn't really provide any substantial advantage so it's more for intellectual pursuit than plug-n-play.
To rfcat, I'd ask why XG doesn't support IPv6-only. I think he's mentioned things like Sophos APs not supporting Sophos Central or perhaps updates via IPv6, and there could be other technicalities like that. Though there may be others.
From previous discussions with Sophos on IPv6, they do not see it as a high priority in the corporate market regardless of what the competition does or various network supplier companies.
Adding a little bit more, if IPv6 was fully integrated there would not be an issue with the 2 seperate firewalls within the XG structure.
I can imagine that an integrated firewall might be pretty difficult, and the two-firewalls approach hasn't been too painful for my admittedly small experiment. It would be nice to be able to copy rules (perhaps not all contents, and perhaps disabled so they don't take effect without tweaking) between them. In theory, dual-stack is transitionary.
And at least Gartner doesn't yet have IPv6 on the Plateau of Productivity, though it is coming out of the Valley of Disillusionment. So maybe there is something to Sophos' approach? None-the-less, they are ceding a segment of the market to their competition.
On an experimental note, I've noticed that XG considers a lot more folks outside the network to be "neighbors" in the NDP table. All of them are "Incomplete", as opposed to internal neighbors that are "Complete", but it's a little odd seeing an Akamai server as a "neighbor" no matter how tentative.
if IPv6 was fully integrated similar to the UTM, then configuring rules would not be an issue. The current version of XG does not allow identical firewall rules in IP4 and IPv6. Requires two identities in DHCP, does not recognise FQDNs in rules or policies etc.
I want some level of the appearance of integration, but as a developer I don't want a truly integrated DHCPv4/DHCPv6 piece of software. That's a recipe for bugs, for decades.
I totally agree that they need to unify names and make name lookup universal so we can choose to use names where MAC or IP addresses can be used, etc. Similarly, I'd like to be able to check boxes to have reverse name use: see names for MAC addresses, etc.
That would take a lot of thinking and work since names are currently so split. There are literally DNS lookups and reverse lookups, names in the MAC address table, names in the IP address table, names in the DHCP static address table, names that DHCP clients apparently pass on to the DHCP server, and so on.
So maybe checkboxes or do roll-overs or something that lets me roll over a MAC address and see either all names that XG knows about or maybe I can set a preference as to a priority order or something so I see the first name that corresponds to the address looking through the priority list of sources.
Just a dream.
Experimanal-wise, someone mentioned Steam not working with IPv6. And I am seeing strange things with Steam where it works, but then occasionally insists it's not online, since turning on dual-stack yesterday. I thought network code was in general more isolated than that, but...
Suggest you get a UTM licence and try the same experiments.
Thanks for the suggestion! But my "home lab" has only one router and no servers (and no idle machines) so true experimentation, like setting up a UTM, isn't on the menu.
I do have to withdraw my previous comment about unified firewall. The XG does have a unified firewall. You can tell from the fact that the firewall rules need to have distinct names -- including across IPv4 and IPv6 -- and that each new rule has a one-up number that spans both IPv4 and IPv6. Which tells me that the underlying firewall is in fact unified. It's mainly a matter of a unified GUI, which I'm fine with. (I don't want critical software being unified for unification-sake but if it's already there then my objection is withdrawn.)
From everything I hear, UTM had a better interface. I imagine it either had more custom software under the hood or wasn't as amenable to a multi-plane architecture (XStream) as XG is. So Sophos is emphasizing that option. And my XGS serves my needs, so... I mainly experiment to the degree that no one else in the house can tell I'm experimenting, since I'm essentially experimenting with the plane while it's in flight.