IPv6
One of the problems that the Internet faces is the shortage of public IP addresses for accessing the Internet. As of January 1, 2007, 2.4 billion IPv4 addresses were in use. 1.3 billion were still available and about 170 million new addresses are given out each year. So at this rate, 7.5 years from now, we’ll be clean out of IP addresses.
This presents a problem for assigning addresses to devices to allow communications and some type of solution was needed.in 1991, work was initiated on a next generation internet protocol. This work resulted in a new address space, IPv6.
IPv6 is a new version of IP that is increasingly being deployed.However, a lot of manpower and money is required to covert from IPv4 to IPv6 and as a short-term solution, IETF (The Internet Engineering Task Force) defined two standards: RFC 1918 and 1631.These standards set aside a range of public IP addresses and allow anyone to use them.
Internet addressing growth map
Although IPv6’s internal format and address length differ from those of IPv4, many other features remain the same—and some of these are relevant to firewalls.
For the features that are the same between IPv4 and IPv6, firewalls should work the same. For example, blocking all inbound and outbound traffic that has not been expressly permitted by the firewall policy should be done regardless of whether or not the traffic has an IPv4 or IPv6 address.
As of this writing, some firewalls cannot handle IPv6 traffic at all; others are able to handle it but have limited abilities to filter IPv6 traffic; and still others can filter IPv6 traffic at the same level or quality used for IPv4 traffic. Every organization that has any IPv6 traffic coming into its internal network needs a firewall that is capable of filtering this kind of traffic.
These firewalls should have the following capabilities:
- The firewall should be able to use IPv6 addresses in all filtering rules that use IPv4 addresses.
- The administrative interface should allow administrators to clone IPv4 rules to IPv6 addresses to make administration easier.
- If the firewall can filter based on DNS lookup of domain names, it needs to use AAAA (IPv6 address records) records in the same way as A records (those used for IPv4 addresses).
- The firewall needs to be able to filter ICMPv6.
- Many sites tunnel IPv6 packets in IPv4 packets. This is particularly common for sites experimenting with IPv6, because it is currently much easier to obtain IPv6 transit from a tunnel broker through a v6-to-v4 tunnel than to get native IPv6 transit from an Internet service provider (ISP).
A number of ways exist to do this, and standards for tunneling are still evolving. If the firewall is able to inspect the contents of IPv4 packets, it needs to know how to inspect tunneled traffic for any tunneling method used by the organization. A corollary to this is that if an organization is using a firewall to prohibit IPv6 coming into or going out of its network, that firewall needs to recognize and block all forms of v6-to-v4 tunneling.
For firewalls that permit IPv6 use, traffic with invalid source or destination IPv6 addresses should always be blocked—this is similar to blocking traffic with invalid IPv4 addresses. Since much more effort has been spent on making lists of invalid IPv4 addresses than on IPv6 addresses, finding lists of invalid IPv6 addresses can be difficult.
Also, IPv6 allows network administrators to allocate addresses in their assigned ranges in different ways. This means that in a particular address range assigned to an organization, there can literally be trillions of invalid IPv6 addresses and only a few that are valid. By necessity, listing which IPv6 addresses are invalid will have to be less fine-grained than listing invalid IPv4 addresses, and the firewall rules that use these lists will be less effective than their IPv4 counterparts.
Update: Between April 15-16 at Shangri-la Hotel Beijing was successfully hold the Global IPv6-Next Generation Internet & Mobile Internet Summit.
12 Responses to “IPv6”
How to turn on the Firewall in Windows XP for a wireless network ?
1. Right-click the wireless connection icon in the notification area at the right of the taskbar.
2. Choose View Available Wireless Networks.
3. On the left side of the dialog box, click Change Order of Preferred Networks.
4. Select the Advanced tab, and beneath Windows Firewall, click Settings.
5. Click the On button to enable the firewall, then choose the Exceptions tab and configure any exceptions that you want to allow.
6. Click OK to exit this dialog box and OK to exit the earlier dialog boxes.
How to turn off IPv6 in openSUSE ?
1. Click the launcher on the desktop and choose Applications.
2. Choose System.
3. Choose Administrator Settings. This choice starts YaST2.
4. Choose Network Devices.
5. Choose Network Settings. The Network Settings dialog box appears and defaults to the Overview tab. Click the Global Options tab.
6. Beneath IPv6 Protocol Settings, uncheck the Enable IPv6 box.
7. A warning appears that tells you that a reboot is needed to apply this change. Click OK.
8. Click Finish.
9. Exit YaST2.
10. Reboot the workstation
What was the motivation for the development of IPv6 ?
the predicted depletion of the IPv4 address space due to the unanticipated increase in the Internet’s popularity and use
What is the difference between IPV4 and IPV6 ?
1) an IPv6 address is 128 bits, as opposed to the 32 bits in an IPv4 address
2) IPsec is a mandatory part of any IPv6 implementation
3) the IP header is different
What are the extension headers for IPV6 ?
1) hop-by-hop header
2) routing header
3) routing header
4) destination options header
What are the composite fields of the IPv6 header ?
1) Version identifies the header as an IPv6 header.
2) Traffic Class specifies whether the packet should receive special delivery treatment as it traverses the Internet.
3) Flow Label identifies a group of packets as members of a group requiring special processing by intermediate routers.
4) Payload Length is the IPv6 payload length
interesting post
a very good article about IPv6