[TriLUG] IPv6 workshop

Greg Cox glcox at pobox.com
Fri Apr 15 19:38:57 EDT 2011 

On Fri, 15 Apr 2011, matt at noway2.thruhere.net wrote:

> As was suggested in another post, a TriLUG meeting might be a good option.
> The only problem with them is that the time goes very quickly and I
> suspect that this may run over the allotted frame for the meetings.  I
> would guess 3-4 hours would be a fair time frame estimate, when you add
> everything up start to finish.  This could make for a long-er evening so
> we would need or want to start a little earlier, like 6pm or so if
> possible.

If only there were this non-real-time collaborative tool... like a list
that mail can go to....



I've been a big Negative Nancy on IPv6, but I've been trying to
read up on it and see where I can take it at home, and I'm just not
seeing the transition, so, I figure I'll just toss it out and see
if it's that I'm looking at it wrong, or what.

Setup: Cable modem to a gateway routing linux box which does the NAT.
The inside physical is 1 wire, but trunking 3 VLANs to the 'core'
switch, where the VLAN break out, one to the DMZ devices, one to the
insecure wireless (everything that has to run WEP, like the Nintendo
DS), and one to the semi-secure hosts (WPA2 wireless and desktops
that talk over copper).  The DMZ hosts things like the DNS, DHCP,
web, NTP, etc resources, all running on ESXi.  iptables on the
gateway protects the crosstalk between the VLANs.


>From what I can tell, most transition plans focus on dual stacks
with public IPs and getting you exposed to ipv6.google.com and
then sitting back and saying "woo."  But almost nobody is talking
about doing an internal transition to fdXX:XXXX:XXXX:XXXX::/64 and
translating you out to the world.  Now, I fully admit this is not
as sexy as fully embracing that whole openness thing.  However,
I have internal services that I would not want to expose to the
world, and a mindset that my island is 'safe'.  Now, we could argue
on the false sense of security and doing proper firewalls, but,
let's put that argument aside and consider that, for years, managers
have gotten the idea that a private network = secure.  So, even if
you're right, it's going to be a long time before the general world
comes around.  For all NAT's faults, many people have a good bit of
sunk work making a private network.  I don't know Hurricane Electric
or SixXS, and it seems silly to tie myself to them when it's a
dependency I don't need.

Should it change and I want to expose things by public IP (in the far
future when there's a real IPv6 intarwebz), it seems like it should
be more of just a routing change and exposing hosts, and ripping out
the existing firewall and putting in a 'real' one.

I guess what I'm saying is, I know my home, I know my hosts, and I can
control them.  And what I have isn't really that far removed from what
a lot of offices have: isolated islands, funneling to the outside.
Since I don't NEED to speak IPv6 to the world, I'd be fine with being
an island of IPv6 where:

* My gateway gets new 6-only VLANs.
* My gateway NATs 6 to 4 northbound, or possibly tunnels if someday I
get a 6 network and want my hypothetical kitchen appliances to be reachable.
* My services (internal web, internal DNS, etc) go dual stack or dual home.
* Slowly migrate willing hosts to 6.

On wikipedia, I see 10 current, 2 deprecated, and 4(5)? drats under IPv6
transition mechanisms.  I'm suffering under the paradox of choice on HOW
to get to v6, to say nothing of my more fundamental question of IF it's
even necessary.  But since everyone keeps touting it as the last, best
hope for the survival of the Internet, I'll toss out my setup here and just
ask, "okay... now what?"  Am I looking at the problem badly?  Is there an
implementation that does what I want and I'm just not reading it?  Is it
wacky that I'm trying to work bottom-up instead of top-down?  Should I
abandon the idea of private islands because it's impossible?

Not trying to get people to "do my homework for me," but I'm getting
tired of v6 talk when I see little in transition plans that work with
the reality that (a) services beside ping still exist and (b) v6 to
the world just isn't that interesting yet.

More information about the TriLUG mailing list