Introduction
The IPv6 main drivers for adoption are a large address space which does not require any Network Address Translation (NAT) anymore, a simpler header which should permit a more efficient switching and the Extension headers which allow adding any service at the Network Layer rather than the Transport Layer when needed. A great example of an application which benefits from the Extension headers is the IP Mobility which has been greatly optimized with IPv6.
The eradication of NAT is supposed to get us back to the Internet the way it was designed at the origin, before NAT was introduced as a workaround for address depletion. It will restore the end to end connectivity which will permit IPSec and Peer-to-Peer applications. This is a real benefit in terms of performances and new features for many Voice or Conferencing applications for instance where we will not have to communicate through a server like Skype.
NAT and Transition
But many people still resist against this change because they are used to working with NAT since the mid 90s and they could not imagine designing any Network without it. They argue the benefits of NAT to push the adoption of NAT66 in IPv6. rfc4864 explains many ways to get the benefits that NAT is providing without its numerous drawbacks (rfc2993) and still permit end-to-end connectivity.
Make sure you don’t miss this great video about NAT and IPv6, and for more details, please visit this link.
Also, many people argue that transition methods such as stateful NAT64 also breaks the end-to-end model. This is true because NAT64 is subject to many possible attacks.
NAT is not a security feature even if it does provide some basic security. Conversely, stateful NAT is an easy target for DoS attacks. And there is no way to protect a network against these DoS attacks. The best you can do is to mitigate them by rate limiting the packets which require a DNS64 or NAT64 translation for instance.
And again, the transition is not to IPv6. For maximum performance, security and other benefits we can think about running IPv6 when the transition is over. During the transition, we will need to compromise features, performances and security for the benefit of supporting old IPv4 nodes and applications.
Stateful Firewall
Another argument against IPv6 restoring end-to-end connectivity is that it will be broken anyway by Stateful Firewalls. This is absolutely correct that IPv6 Stateful Routers or Hardware Firewalls will not allow any incoming traffic that is not returning from permitted outgoing traffic. This will also break the end-to-end behavior for IPv6 networks just like stateful NAT would do.
Because IPv4 Firewalls offer the NAT feature, the customers are asking the support of NAT66 for IPv6 Firewalls. FORTINET implemented some NAT66 when it was still a draft, even before NPTv6 became a RFC.
So are we stuck again? No, it is possible to use a host based firewall.
Windows XP 7 and Servers, MAC OS or any Linux and Unix OS, all have integrated Firewalls. With such a host based firewall you can decide host by host what is permitted and what is denied. This is at the price of more management but then you are not blocking a whole site from peer to peer applications.
This is what Microsoft is saying about Host based Firewalls:
“Advantages
The advantages of personal firewalls include:- Inexpensive. When only a limited number of licenses are required, personal firewalls are an inexpensive option. A personal firewall is integrated into versions of Windows XP. Additional products that work with other versions of Windows or other operating systems are available for free or at limited cost.
- Easy to configure. Personal firewall products tend to have basic workable out-of-the-box configurations with straightforward configuration options.
Disadvantages
The disadvantages of personal firewalls include:- Difficult to manage centrally. Personal firewalls need to be configured on every client, which adds to management overhead.
- Only basic control. Configuration tends to be a combination of static packet filtering and permission-based blocking of applications only.
- Performance limitations. Personal firewalls are designed to protect single personal computers. Using them on a personal computer that serves as a router for a small network will lead to degraded performance.”
http://technet.microsoft.com/en-us/library/bb726938.aspx
Some other Windows Firewall commands for Windows:
netsh advfirewall show allprofiles Check the status of the Windows Firewall
netsh advfirewall reset Resets firewall to default setting
Information about IPv6 Firewall on MAC OS X and IPv6 management in general here:
http://ipv6int.net/systems/mac_os_x-ipv6.html
This is an article about the Top best Linux Firewall, iptable being the reference:
http://www.thegeekstuff.com/2010/02/top-5-best-linux-firewalls/
High end Hardware or even Router based Firewalls are very powerful and they do much more than just blocking the not-permitted return traffic but we could imagine that they would let the traffic in and still inspect and control whatever they are supposed to. So it would not mean that we would not need some powerful Firewalls at the edge of the networks but they could complement the host based firewalls.
Conclusion
So is IPv6 restoring end to end connectivity a myth or not ?
I want to believe that it is not… But…
For the Network vendors, all the routers and firewalls devices which support transition to IPv6 with NAT, CGN or LSN based features such as NAT66, NAT444, NAT64 or DS-Lite are a gold mine. They are going to spend a lot of energy convincing Network managers (who don’t need to be convinced anyway) that they can deploy IPv6 networks with the existing and more IPv4 nodes to continue to run IPv6 just like they have been running IPv4 for years!
It is always difficult to change for anyone. A network manager who has learned his job with IPv4 networks, who has been designing IPv4 Networks, who has been managing these networks which were not perfect but running for years will not accept the change easily, even if it is for more performance and more features. They will keep pushing to get all the same features in IPv6 to keep doing things EXACTLY as before. The network vendors will provide whatever their customers are asking for and the IETF will finally approve everything! I know this is a more realistic than optimistic view but I am afraid that this is going to happen… Even if this is not a myth that IPv6 could restore End to End connectivity!
Fred BOVY
ccie #3013
Aucun commentaire:
Enregistrer un commentaire