DNS - IPv6
-
Who if anyone uses, I mean really uses IPv6?
What did you use as a guide for setup?
Should your servers be setup with static IPv6 addresses? -
@Dashrender said:
Should your servers be setup with static IPv6 addresses?
I generally setup my servers with DHCP reservations and not static addresses. Just makes life easier in the long run.
I don't use IPv6.
-
@coliver do you disable it?
-
@Dashrender said:
@coliver do you disable it?
At my last location I didn't, here it is part of a group policy.
-
Disabling IPv6 was a trend for quite some time, but my feeling is like that mostly went away a few years ago. Have never looked into why but I think that it is pretty common to just leave it on now, even for places that are not using it.
-
We don't use DHCP 6, we just don't have that many devices.
We'd also have to upgrade all of our printers, as currently the ones we have only support IPv4.
Otherwise we'd have a rather flat network if we ran IPv6. Compared to the 5 subnets we have.
-
@DustinB3403 said:
We don't use DHCP 6, we just don't have that many devices.
That's not the purpose of IPv6.
-
@DustinB3403 said:
Otherwise we'd have a rather flat network if we ran IPv6. Compared to the 5 subnets we have.
Why not going to a single subnet with IPv4 now?
-
But it is.
Because of the trillions of devices in the world requiring an IP Address IPv6 was developed. It could certainly be used in a work environment for the same reasons.
Simplicity in deployment of new devices.
-
@DustinB3403 said:
But it is.
Because of the trillions of devices in the world requiring an IP Address IPv6 was developed. It could certainly be used in a work environment for the same reasons.
No business or even government is close to the size that IPv4 offers. IPv6 is only larger on the global scale, it doesn't change the size that a business can go to.
-
@DustinB3403 said:
Simplicity in deployment of new devices.
Not significantly. Since you can go to any size with IPv4 and can use DHCP the same in either case, you do not gain anything in network deployments from IPv6.
Where IPv6 is important is that it allows you to drop NAT and have public addresses, rather than private, for every host on the network.
-
@Reid-Cooper said:
Where IPv6 is important is that it allows you to drop NAT and have public addresses, rather than private, for every host on the network.
Personal preference for myself is that I would not drop NAT if my networks used IPv6 internally. I like that very much as a layer of security for protecting my end-user machines from being exposed directly to all the nasties on the public internet.
-
NAT does not really add any specific protection. Your firewall does what you describe, not the NAT.
-
Moving away from NAT is a core drive for IPv6. I'm doubtful that NAT devices will even be offered. IPv6 is designed specifically to not have NAT any longer.
-
@dafyre said:
@Reid-Cooper said:
Where IPv6 is important is that it allows you to drop NAT and have public addresses, rather than private, for every host on the network.
Personal preference for myself is that I would not drop NAT if my networks used IPv6 internally. I like that very much as a layer of security for protecting my end-user machines from being exposed directly to all the nasties on the public internet.
I don't think your devices will be any more visible on the internet then they were before. Everything would still go through a firewall or router.
-
@coliver said:
@dafyre said:
@Reid-Cooper said:
Where IPv6 is important is that it allows you to drop NAT and have public addresses, rather than private, for every host on the network.
Personal preference for myself is that I would not drop NAT if my networks used IPv6 internally. I like that very much as a layer of security for protecting my end-user machines from being exposed directly to all the nasties on the public internet.
I don't think your devices will be any more visible on the internet then they were before. Everything would still go through a firewall or router.
Exactly, still firewalled and blocked from the Internet twice, at a minimum, once at the network edge firewall device and a second time on the per-device firewalls running on every OS.
But it makes the network a lot more powerful. Things like VoIP's RTP protocol and FTP will "just work" instead of having all of the weird NAT traversal issues that they have today. And no more port forwarding, just port opening. Every network can host as many services as it wants instead of having to have crazily complex rules to map many public IPs to many private IPs that have no correlation with one another.
-
NAT is just address translation doesn't do any blocking your firewall does that. Just because you know where somethings at doesn't mean you get in. It's like saying you are granted access to a building just because you know the address.
We use some NAT internally but I hate it. But when you do lots of mergers it comes with the territory you can't go re-scoping everything and breaking stuff right away.
-
@Jason said:
NAT is just address translation doesn't do any blocking your firewall does that. Just because you know where somethings at doesn't mean you get it. It's like saying you are granted access to a building just because you know the address.
We use some NAT internally but I hate it. But when you do lots of mergers it comes with the territory you can't go re-scoping everything and breaking stuff right away.
That's for later?
-
@coliver said:
@Jason said:
NAT is just address translation doesn't do any blocking your firewall does that. Just because you know where somethings at doesn't mean you get it. It's like saying you are granted access to a building just because you know the address.
We use some NAT internally but I hate it. But when you do lots of mergers it comes with the territory you can't go re-scoping everything and breaking stuff right away.
That's for later?
The rescoping yes, the breaking hopefully not, we get to know the systems and how they are setup more fully (but still possible.)
-
@DustinB3403 said:
Otherwise we'd have a rather flat network if we ran IPv6. Compared to the 5 subnets we have.
I also have several subnets. But considering what I know today, I'm looking to move to a single /23 or /22. Because of switches you don't have to worry about 1000 devices being in the same subnet anymore. Sure broadcast storm could bring you down, so you have to fix those quickly, but you'd have to anyway.
I'm not looking forward to reworking my network for a /22 though, ug!
At least I only have around 200 devices. 4/5's are DHCP, but the darn phones is the biggest pain, currently not DHCP.
