[rhelv6-list] IPv6 adoption with RHEL6 (and GNU/Linux in general)
Matthias Saou
thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net
Wed Jan 12 13:22:25 UTC 2011
Hi,
Every once in a while, someone important comes up with a scary story
about IPv4 space exhaustion. So far so good, raising awareness about
this issue is positive.
Then people get all hyped up about IPv6. Cool, lots of techies and
geeks like me love toying with new things, and IPv6 is not too hard to
understand nor implement.
But then everyone realizes that IPv6 will only be really useful once
everyone has it and everyone is reachable from any IPv6-only connected
host. This leads to two possible behaviors :
* One just thinks "I'll look at IPv6 once everyone else already has,
since there is no point in doing it sooner."
* Or one thinks "I'll implement new IPv6 networks on top of our
existing IPv4 networks, get it all dual-stacked, and hopefully
contribute to bootstraping the whole IPv6 adoption."
I'm from that second group. I've learned what I need to know about
IPv6 and did quite a bit of testing. But I've never managed to get IPv6
into production on any of the infrastructures I manage.
Why? ip6tables doesn't support NAT. It's that simple.
I know the reasons for the lack of NAT support, which are given over and
over again. But here is my real world issue with them :
All of the networks I manage have at least one or more points where
multiple hosts are connected with a single network interface to a
network which is not routed to the outside, but translated instead.
Some other hosts have two interfaces and are connected to both this
private/internal network and to another where they have routable IPv4
addresses.
Given the above :
* It would be trivial to define a 1:1 mapping between existing IPv4
networks and new IPv6 networks (both routable and private) *IF* I
could just copy and slightly adapt all iptables rules to ip6tables
rules.
* It is *NOT* trivial to rethink the entire network topology in order
to have all hosts with IPv6 and no NAT at all : IPv6 routing is
needed where no IPv4 routing was present (only translation), and
existing hosts which were previously unreachable from the Internet
would become reachable by default through IPv6, creating new
annoyances such as ssh hammering, requiring inbound filtering where
none was previously needed.
My personal conclusion is that while netfilter developers have a point
in not wanting to implement NAT for IPv6 in order to get a cleaner and
more routable Internet, sys/netadmins like me relying heavily on
GNU/Linux would have deployed IPv6 already if easy 1:1 scenarios for
typical infrastructures were available.
I'd be curious to know what others think of this, read experiences, from
the Enterprise side. Did you already deploy IPv6 on existing RHEL-based
infrastructures? Onto new infrastructures? How do you deal with
existing IPv4 NAT situations?
Matthias
--
Clean custom Red Hat Linux rpm packages : http://freshrpms.net/
Fedora release 14 (Laughlin) - Linux kernel 2.6.35.10-72.fc14.x86_64
Load : 0.00 0.04 0.13
More information about the rhelv6-list
mailing list