[ppml] ripe-55/presentations/bush-ipv6-transition.pdf

michael.dillon at bt.com michael.dillon at bt.com
Fri Oct 26 15:02:10 EDT 2007

> The pieces I have not yet seen are:
> -- Firewalls -- With IPv4, the firewall rules are built in 
> terms of IP addresses. Will IPv6 firewalls do something 
> similar or will there be a single place to specify a prefix?

Linux iptables has had IPv6 support since 2001 so I can't believe it is
so hard to find a v6 firewall. Since it can be configured by shell
script it is trivial to specify the prefix in one place. If your issues
are with the management interface on commercial firewalls, then you can
either implement a Linux firewall, or hammer your favourite vendor to
fix their broken system.

> -- Intrusion Detection & Network monitoring appliances -- is 
> it (or will it be possible) to specify an IPv6 prefix 
> someplace rather than embedding the entire IP address in rules?

Same thing as above. This is trivial to implement and since the IETF
guidelines state that all end sites will receive a /48 in order to
simplify renumbering, then vendors of IPv6 products really should make
it easy to *ADD* additional prefixes to the same ruleset, and *REMOVE* a
prefix from a ruleset. Remember that IPv6 renumbering is done by adding
a prefix so that all interfaces have two IPv6 addresses during a
transition timeperiod, then removing the old prefix.

> -- VPNs -- How do I change an IP on a VPN link if I don't 
> control the other end?  What if I do control the other end, 
> but it is remote?

This is a management system problem. Again solvable by demanding your
vendors make it so.

> -- If /48 prefix changes, will my customers/vendors/etc. 
> require another security audit?

Seems overkill to do a security audit if all you are doing is a managed
renumbering. I would suggest that you test your IPv6 renumbering process
from the beginning, document the process, and then include a test of
this process as part of the first IPv6 security audit.

> I'm sceptical that the technology exists today to easily 
> renumber a business network if a /48 prefix changes.

It does exist if you use Linux or *BSD boxes for firewall functions etc.
If commercial vendors have not yet implemented, it is not because of a
lack of technology.

--Michael Dillon

More information about the ARIN-PPML mailing list