I’ve been playing around with IPv6 over the last few days; my ISP doesn’t give out IPv6 addresses yet, but thanks to Hurricane Electric I now have a /48 being routed straight to me. In theory I could subnet that /48 into 65536 subnets, each containing a ridiculous number of hosts.

This is a strange feeling after growing up with 1 routable IP address to somehow share across a whole network and having hundreds of NAT port forwards. It really should make life much easier.

But… there are a few implications. Previously in many situations we have been able to rely on NAT as a reasonably effective firewall. NAT is excellent at that. Customer ADSL/Cable routers will need to now have firewalls which many don’t… and if they do have firewalls it is almost certain they wont be managed properly.

So IPv6 end to end connectivity is all very well; but now instead of managing port forwarding there is going to need to be managing of firewalls instead. By default I am sure they will be managed by UPNP; so basically may as well not be running a firewall unless UPNP gets some security added.

Lastly, I realised IPv6 means you can no longer use the excuse of decreasing the size of broadcast domains when subnetting or using VLANs… It now will be reducing the multicast domains seeing IPv6 now uses multicast to replace the broadcast functions. I’m pretty sure most usually VLANs are more about security anyway than broadcast domains.






Leave a Reply