[137080] in North American Network Operators' Group
Re: IPv6 - a noobs prespective
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Feb 9 07:09:38 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTi=Dska-0YoDLdVg_Q-4JmXK=x821EgOFHOy8ap+@mail.gmail.com>
Date: Wed, 9 Feb 2011 04:08:22 -0800
To: Robert Lusby <nanogwp@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 9, 2011, at 3:00 AM, Robert Lusby wrote:
> As part of my role, I'm responsible, for a small (20 - 25 machine) =
network
> in the UK.
>=20
> When it comes to IPv6 I'm a complete noob. So ok - this is how I stand =
for
> IPv6:
>=20
> I "get" IPv4, I get NAT, I get why it's needed, and I get why it's =
evil.
>=20
> I know my IPv4 network inside and out, how DHCP runs and assigns =
addresses,
> how that ties in with our VPN, how everything gets channeled via the =
NAT to
> our ISP etc ...
>=20
> I also get why we need IPv6, that it means removing the NAT (which, =
surprise
> surprise also runs our Firewall), and I that I might need new kit for =
it.
>=20
Well, I'll question that a little bit.
I think your Firewall, in addition to translating addresses (NAT) also =
filters
packets. Would that, perhaps, be a more accurate description?
Most firewalls (other than trivial home gateways) can do all the =
stateful inspection
(the actual packet filtering and state-table stuff) without having to do =
NAT.
If it supports IPv6 at all, it should be ready to do that without =
needing new kit.
If it doesn't support IPv6 at all, then, yes, you needed new kit anyway, =
no?
Personally, I'm pretty happy with the SRX-series kit from Juniper. It's =
pretty
inexpensive and has most of the IPv6 features you are likely to need, =
including
stateful inspection without NAT for IPv6 and with NAT for IPv4.
> I am however *terrified* of making that move. There is so many new =
phrases,
> words, things to think about etc
>=20
> I want to, I'm keen to, and I know we have to, move to IPv6 - but at =
the
> moment it just seems so complicated - not least without affecting any =
IPv4
> stuff.
>=20
Build a test lab and start experimenting. You'll find that for the most =
part, it's
just 96 more bits and very little magic.
Owen
