The reason I prefer IPv6 over IPv4 NAT is it gives me the option to use the same ports on multiple hosts on my network. IPv4 NAT is quite crippling for some of ujs (who also happen to know how to manage our firewalls ;) ).
Yes of course NAT is a pain when doing special things, but for most internet users it is not a problem at all. Especially now that the internet has evolved from a peer-to-peer network into a traditional client-server network where a few big companies run all the services and the users connect only to there, even when they want to communicate with another user.
What I like about IPv6 is that it gives me out-of-band management of IPv4 networks. Yesterday I did a major restructuring of our AMPRnet-Internet gateway, where a MikroTik CCR has been added to the existing PC Linux solution to take over part of the services, and I could make all the network topology changes with confidence that I would not lock myself out, using IPv6. That is also handy when managing the very complicated IPv4 firewall.
In fact so many users have been completely accustomed to NAT that they even apply it to AMPRnet... Putting their systems on RFC1918 addresses and translating it to net-44 addresses in the router. I would not do that...
Rob
On 14/05/2017 8:24 PM, Rob Janssen wrote:
Yes of course NAT is a pain when doing special things, but for most internet users it is not a problem at all. Especially now that the internet has evolved from a peer-to-peer network into a traditional client-server network where a few big companies run all the services and the users connect only to there, even when they want to communicate with another user.
Yes, the general architecture of the Internet has changed for most people.
What I like about IPv6 is that it gives me out-of-band management of IPv4 networks. Yesterday I did a major restructuring of our AMPRnet-Internet gateway, where a MikroTik CCR has been added to the existing PC Linux solution to take over part of the services, and I could make all the network topology changes with confidence that I would not lock myself out, using IPv6. That is also handy when managing the very complicated IPv4 firewall.
Yes, I can see that being very handy. IPv6 topology tends to be less convoluted than IPv4. :)
In fact so many users have been completely accustomed to NAT that they even apply it to AMPRnet... Putting their systems on RFC1918 addresses and translating it to net-44 addresses in the router. I would not do that...
Urk, what a horrible solution!
I also like the idea I saw a few posts back of using IPv6 to carry AMPRnet IPv4 traffic where possible/desired. Would save me having to rely on putting the gateway in the DMZ of the router on IPv4. I've run native IPv6 for many years here.
I would be cautions about IPv6. Bill and Rob brought some very good points. Also, the ISP Hurricane Electric offers a free certification course if anyone wishes to further pursue IPv6. With ransomware, I advise keeping regular timed cloud backups or regularly updated offline copies. The local network of my operations center at work was hit by an engineer hitting a link. Due to our 1Gbps connection (and that he had the drive set to mount persistently, which is very common, especially in Windows), our file server was encrypted in less than an hour. Restoring the drive was my only option. We only lost data the engineer didn't save on the file server and recent edits to files-in-use. *Lastly, RULE No. 1 - under no circumstances pay a ransomware developer, and RULE No. 2 - if you weren't prepared for that, remember Rule No. 1. There is still 0% guarantee that the developer will in fact provide you a key for the money spent, and in some jurisdictions, paying a criminal is a crime.*
I recall when I first started working with AMPR and IPv6, I used a DD-WRT router with IPv6 routing daemons, etc; but it did not have ip6tables. Other routers had no way of manipulating ip6tables in the GUI. This meant you had to figure out how to make a persistent IPv6 firewall script, if possible. Over time, I've found various quirks with IPv6 implementations in devices. I believe some of the earlier versions of OpenWRT also lacked ip6tables installed by default (meaning, it was not installed unless it's made a dependency of the IPv6 packages). In some, RA worked, but DHCPv6 was not implemented. In some earlier PCs, IPv6 privacy is not implemented at all, or (as in Ubuntu) not enabled by default. It was interesting how my search for an IPENCAP-capable router aligned with my search for an IPv6-ready router as well.
I currently have a Verizon FiOS device that was provided by my ISP, and I noted in the past that they can somehow access my device (and remove the IPENCAP forward rule) and in addition that IPv6 appears unfiltered, or leaves various ports open (none of which are documented). Lastly, there is no IPv6 firewall to edit in the GUI; and they offer no documentation on navigating the CLI of their device (it's probably an added feature only to allow SSH tunneling and perhaps as a failsafe for resetting and rebooting the device). Luckily, I provide my IPv6 tunnel, and it's not via my ISP.
I solved this by placing my LEDE as the border router with my ISP, the Verizon device is downstream (with IPv4 IGMPproxy enabled on its interface, something else not noted in Verizon's Bring-your-own-device documentation). In fact, Verizon never notes that they use IGMP whatsoever, you may wish to check if your devices are sending multicast requests upstream to you ISP. It appears they send firmware updates and television listings via this method.
73,
- Lynwood KB3VWG
Thankfully, IPv6 won't require updates for a lot of the *NOS software and older Linux versions being used at gateways
In fact so many users have been completely accustomed to NAT that they even apply it to AMPRnet... Putting their systems on RFC1918 addresses and translating it to net-44 addresses in the router. I would not do that...
All,
An update, on Monday, the President's Homeland Security advisor announced that they are 'NOT AWARE OF ANY PAYMENTS THAT HAVE LED TO DATA RECOVERY.'
A video of it can be found here, around the 4 minute mark: https://www.c-span.org/video/?428528-3/washington-journal-catherine-lotriont...
73,
Lynwood KB3VWG
*Lastly, RULE No. 1
- under no circumstances pay a ransomware developer, and RULE No. 2 - if
you weren't prepared for that, remember Rule No. 1. There is still 0% guarantee that the developer will in fact provide you a key for the money spent, and in some jurisdictions, paying a criminal is a crime.*
On Sun, 14 May 2017 12:24:10 +0200, Rob Janssen pe1chl@amsat.org said:
In fact so many users have been completely accustomed to NAT that they even apply it to AMPRnet... Putting their systems on RFC1918 addresses and translating it to net-44 addresses in the router. I would not do that...
Some consumer quality routers assume that all LAN addresses *MUST* be in an RFC1918 range, e.g., 192.168.n.n. The routers usually allow the user to set the third octet, but not the first or second, and they reserve the last octet for DHCP and/or local fixed addresses. IIRC, most allow the user to set the subnet mask's last octet too, but that's as much flexibility as users get.
Sometimes, the same restrictions apply to the other devices on the LAN, especially printers, and so it's often easier to put a 44net address on the "WAN" side of a router and do NAT.
Bill, W4EWH
-
Bill Horne, W4EWH -
lleachii@aol.com -
Rob Janssen -
Tony Langdon