[rhelv6-list] IPv6 adoption with RHEL6 (and GNU/Linux in general)

Matthias Saou thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net
Wed Jan 12 13:22:25 UTC 2011 

Hi,

Every once in a while, someone important comes up with a scary story
about IPv4 space exhaustion. So far so good, raising awareness about
this issue is positive.

Then people get all hyped up about IPv6. Cool, lots of techies and
geeks like me love toying with new things, and IPv6 is not too hard to
understand nor implement.

But then everyone realizes that IPv6 will only be really useful once
everyone has it and everyone is reachable from any IPv6-only connected
host. This leads to two possible behaviors :

 * One just thinks "I'll look at IPv6 once everyone else already has,
   since there is no point in doing it sooner."
 * Or one thinks "I'll implement new IPv6 networks on top of our
   existing IPv4 networks, get it all dual-stacked, and hopefully
   contribute to bootstraping the whole IPv6 adoption."

I'm from that second group. I've learned what I need to know about
IPv6 and did quite a bit of testing. But I've never managed to get IPv6
into production on any of the infrastructures I manage.

Why? ip6tables doesn't support NAT. It's that simple.

I know the reasons for the lack of NAT support, which are given over and
over again. But here is my real world issue with them :
All of the networks I manage have at least one or more points where
multiple hosts are connected with a single network interface to a
network which is not routed to the outside, but translated instead.
Some other hosts have two interfaces and are connected to both this
private/internal network and to another where they have routable IPv4
addresses.

Given the above :
 * It would be trivial to define a 1:1 mapping between existing IPv4
   networks and new IPv6 networks (both routable and private) *IF* I
   could just copy and slightly adapt all iptables rules to ip6tables
   rules.
 * It is *NOT* trivial to rethink the entire network topology in order
   to have all hosts with IPv6 and no NAT at all : IPv6 routing is
   needed where no IPv4 routing was present (only translation), and
   existing hosts which were previously unreachable from the Internet
   would become reachable by default through IPv6, creating new
   annoyances such as ssh hammering, requiring inbound filtering where
   none was previously needed.

My personal conclusion is that while netfilter developers have a point
in not wanting to implement NAT for IPv6 in order to get a cleaner and
more routable Internet, sys/netadmins like me relying heavily on
GNU/Linux would have deployed IPv6 already if easy 1:1 scenarios for
typical infrastructures were available.

I'd be curious to know what others think of this, read experiences, from
the Enterprise side. Did you already deploy IPv6 on existing RHEL-based
infrastructures? Onto new infrastructures? How do you deal with
existing IPv4 NAT situations?

Matthias

-- 
Clean custom Red Hat Linux rpm packages : http://freshrpms.net/
Fedora release 14 (Laughlin) - Linux kernel 2.6.35.10-72.fc14.x86_64
Load : 0.00 0.04 0.13

More information about the rhelv6-list mailing list