[184489] in North American Network Operators' Group
Re: /27 the new /24
daemon@ATHENA.MIT.EDU (Mel Beckman)
Sun Oct 4 10:55:53 2015
X-Original-To: nanog@nanog.org
From: Mel Beckman <mel@beckman.org>
To: Stephen Satchell <list@satchell.net>
Date: Sun, 4 Oct 2015 14:54:42 +0000
In-Reply-To: <56113C5C.8050702@satchell.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I recommend any of a number of online courses for a quick understanding of =
IPv6. But nothing beats making your own IPv6 lab and getting hands-on exper=
ience. Here's a course I built walking you through that process:
http://windowsitpro.com/build-your-own-ipv6-lab-and-become-ipv6-guru-demand
-mel beckman
> On Oct 4, 2015, at 7:49 AM, Stephen Satchell <list@satchell.net> wrote:
>=20
>> On 10/04/2015 06:40 AM, Matthias Leisi wrote:
>> Fully agree. But the current state of IPv6 outside "professional=93
>> networks/devices is sincerely limited by a lot of poor CPE and
>> consumer device implementations.
>=20
> I have to ask: where is the book _IPv6 for Dummies_ or equivalent?
>=20
> Specifically, is http://www.xnetworks.es/contents/Infoblox/IPv6forDummies=
.pdf any good? (I just downloaded it to inspect.)
>=20
> My bookshelf is full of books describing IPv4. Saying "IPv6 just works" =
ignores the issues of configuring intelligent firewalls to block the ne-er-=
do-wells using the new IP-level protocol.
>=20
> In Robert L. Ziegler's book _Linux Firewalls_ Second Edition (2002, ISBN =
0-7357-1099-6), the *only* mention of IPv6 is in the discussion of NAT, and=
that discussion is limited to "NAT is a stopgap until IPv6 achieves wide i=
mplementation. A preview of the Third Edition fails to mention ip6tables a=
t all, the same lack that the Second Edition has.
>=20
> I use CentOS, the community version of Red Hat Enterprise. I looked arou=
nd for useful books on building IPv6 firewalls with the same granularity as=
the above-mentioned book for IPv4, and haven't found anything useful as ye=
t. In particular, I'm looking for material that lays out how to build a mo=
stly-closed firewall and DMZ in IPv6. The lack of IPv6 support goes furthe=
r: I didn't find anything useful in Red Hat (CentOS) firewall tools that p=
rovides IPv6 support...but that's probably because I don't know what I'm lo=
oking for. (Also, that GUI software is intended for use on individual serv=
ers/computers, not in a edge-firewall with forwarding and DMZ responsibilit=
ies.)
>=20
> Building a secure firewall takes more than just knowing how to issue ip6t=
able commands; one also needs to know exactly what goes into those commands=
. NANOG concentrates on network operators who need to provide a good Inter=
net experience to all their downstream customers, which is why I see the bi=
as toward openness...as it should be. Those of us who run edge networks ha=
ve different problems to solve.
>=20
> I'm not asking NANOG to go past its charter, but I am asking the IPv6 fan=
atics on this mailing list to recognize that, even though the net itself ma=
y be running IPv6, the support and education infrastructure is still behind=
the curve. Reading RFCs is good, reading man pages is good, but there is =
no guidance about how to implement end-network policies in the wild yet...a=
t least not that I've been able to find.
>=20
> "ipv6.disable" will be changed to zero when I know how to set the firewal=
l to implement the policies I need to keep other edge networks from disrupt=
ing mine.
>=20
