IPv6, addressing schemes, and router-layer firewalls

[ecornips]

Hi,

I'm doing some general research into how IPv6 is currently provisioned by various ISPs, and idnet seems to be a good early adopter, so thought I'd ask you all some questions. As background, I work for a small firewall developer that is looking at supporting IPv6 (finally), so understanding how it's used in practice sheds a lot more light than all those RFCs.

1. It looks like everyone gets a /64 on the router, and a /48 delegated prefix for LANs. Is the /48 static or dynamic? I.e. Does it change after you reboot your router?

2. If you are assigned a dynamic prefix, how do you deal with security? Assume not all your PCs have an IPv6 firewall, so you need to firewall at the edge router. In particular
    a) Let's say you want to stop the kids computers from using IRC, so you want to block tcp-6667 for their machines, but keep access for yours. Can you do that now? Do you force your machines to have static IPs/EUI-64 rather than dynamic "privacy-extension" IPs?
    b) Let's say you want to host a small web site, and use a dynamic DNS client (to keep the DNS entry pointing to the correct IP). You need to open up inbound tcp-80 traffic to just your webserver and nothing else. Can you do that now? If so how do you deal with your server's IPv6 changing over time?

3. Probably not many/any are doing this, but if you have multiple sites on IPv6 linked over VPNs, what addressing scheme are you using for all the LANs on each site: Do you just use the IPv6 global prefixes assigned by the ISP, or do you use Unique Local Addresses (ULA)?

4. Is there something missing from your router's IPv6 support (aside from NAT ) that you really wish it had?

Thanks for your time.

[Steve]

The allocation from IDNet is dynamic , although it can be made static at the router. My router ASUS RT N66U currently has no IPv6 firewall although I could with some teeth grinding write one.

[ecornips]

The allocation from IDNet is dynamic , although it can be made static at the router. My router ASUS RT N66U currently has no IPv6 firewall although I could with some teeth grinding write one.

Thanks. Could you elaborate on what you mean by it can be made static at the router? Are we talking about asking IDNet for a static allocation, that is then given by DHCPv6-PD? Or something else that doesn't require the customer to contact IDNet?

[Simon]

Sorry, I wouldn't do you any favours by trying to answer the technical stuff, but

[ecornips]

Sorry, I wouldn't do you any favours by trying to answer the technical stuff, but

No worries, thanks for the karma 

[andrue]

If you have paid for a static IPv4 address the prefix of your /48 will be fixed as well. As with IPv4 you just tell your router to pick the address up from IDNet so you don't have to do any configuring there. I run a mail and ftp server but have yet to work out how to get Windows to accept a static IPv6 address. Everytime I try it just kills the network stack completely 

Luckily it seems that the address that Windows generates for the non-temporary address is static anyway. The only time it changed was when I moved the installation to a new box and had to sysprep it. Perhaps it's derived from the MAC as per the requisite RFC 

Anyway I have set up an IPv6 TBBQM to my server which proves it's static. I have also looked into port forwarding (or more accurately port opening) to allow IPv6 traffic to reach my server but frankly the setup page baffles and scares the pants off me 

My router has an IPv6 firewall so security is mainly dealt with there although all the machines are running the Windows firewall as well.

[Steve]

I think the client IPv6 addresses are derived from the MAC.

[andrue]

I think the client IPv6 addresses are derived from the MAC.

Some are if that's how it's configured but I'm now confused again. I've gone back to my machines and now the only permanent IPv6 address ([netsh interface ipv6 show address] showing life time as 'infinite') is a Provider Independent Address. I didn't think that used to be the case. Unfortunately I had disabled my server's TBBQM and it looks like TBB kills them off after a while so I don't have a record of the address I was using but I'm sure it wasn't a 2001::

I wonder if IDNet have changed something WRT to IPv6?

I might have to have another look at it this weekend to see if I can get to grips with IPv6 and static addressing. It must be possible to fix an address in Windows without relying on some magically generated address. Presumably the provider independent address could change at some point. I'd far rather have my server locked down to a specific address if it's ever going to offer services via IPv6.

Edit:Ah! That PIA is for the Teredo interface. Now why do I have one of those? I didn't think I needed that if I had IPv6 support from my ISP.

Edit2: Interesting. My laptop is Windows 7 Home Premium and has the Teredo interface. My server is Win 7 Professional and doesn't. How odd. The only 'infinite' address on either machine is a Provider Independent Address. At least that means if I change ISP I won't have to reconfigure the server address. If I can ever work out how to get it working with IPv6

[Steve]

The allocation from IDNet is dynamic , although it can be made static at the router. My router ASUS RT N66U currently has no IPv6 firewall although I could with some teeth grinding write one.

My Asus RT N66U now has a functioning IPv6 firewall, thanks to the latest Asusmerlin-wrt beta . Seems to work using a port scanner , hopefully will be in his next non beta release.

http://ipv6.chappell-family.com/ipv6tcptest/. All the scanned IPv6 ports came up stealthed.