Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IPv6 on my Zyxel P-660HW-D1?

405 views
Skip to first unread message

Alfred E Neuman

unread,
Jun 8, 2012, 7:13:57 AM6/8/12
to
A press release on the Zyxel website (http://us.zyxel.com/info/ipv6/) suggests
updates are available for the P660 routers, presumably including my P-660HW-D1,
to support IPv6.

As usual with Zyxel, finding out what I actually need is a nightmare. Has
anyone out there successfully updated a P-660HW-D1 to IPv6 or something
similar? If so, which firmware should I use?

Alfred E Neuman

unread,
Jun 8, 2012, 7:59:16 AM6/8/12
to
Of course that should have read: "Has anyone out there successfully updated a
P-660HW-D1 or something similar to IPv6?"

Dave Liquorice

unread,
Jun 8, 2012, 8:51:11 AM6/8/12
to
On Fri, 08 Jun 2012 12:13:57 +0100, Alfred E Neuman wrote:

> A press release on the Zyxel website (http://us.zyxel.com/info/ipv6/)
> suggests updates are available for the P660 routers, presumably
> including my P-660HW-D1, to support IPv6.

I wouldn't hold your breath all I can find for the P-660HW-D1 is:

Firmware - P-660HW-D1 - v23.40(ATA.0)C0 - N/A - April 26, 2007

Note the date... I think the IPv6 stuff will only be for their
current products. If their website would function without javascript
I'd be able to tell if that is a current model from:

http://www.zyxel.com/products_services/p_660hw_series.shtml?t=p

--
Cheers
Dave.



Alfred E Neuman

unread,
Jun 8, 2012, 9:15:58 AM6/8/12
to
Thanks, but that web page only goes up as far as the -T1 v2, and none of the
specifications mention IPv6.

I really like the configurability of the Zyxel routers so I'd be reluctant to
change, but I suppose I'll have to migrate to IPv6 sooner or later.

Dave Liquorice

unread,
Jun 8, 2012, 11:12:23 AM6/8/12
to
On Fri, 08 Jun 2012 14:15:58 +0100, Alfred E Neuman wrote:

> Thanks, but that web page only goes up as far as the -T1 v2, and none of
> the specifications mention IPv6.

It'll be in the "readme" of any firmware update but I doubt they'll
do it for their "legacy" products only the current ones.

> I suppose I'll have to migrate to IPv6 sooner or later.

I'm half looking at what is going on but I think it will be a while
yet before consumer grade kit has it as standard. There is some
consumer grade stuff out there but still a bit buggy IMHO. And TBH I
don't know enough about IPv6 to trust the window boxes on the LAN
here to not be exposed directly to the internet. They are behind two
layers of NAT currently...

--
Cheers
Dave.



Jim Howes

unread,
Jun 8, 2012, 11:18:02 AM6/8/12
to
On 08/06/2012 14:15, Alfred E Neuman wrote:
> Dave Liquorice wrote:
>> http://www.zyxel.com/products_services/p_660hw_series.shtml?t=p
>
> Thanks, but that web page only goes up as far as the -T1 v2, and none of
> the specifications mention IPv6.
You got me all excited for a moment there, but I note that

A) Searching for 'ALL' items for the P-660HW-T1 v2 doesn't show any firmware
B) Searching for 'Firmware' items for that model does show firmware, but
it's way to old to be a recent release (June 1 2011)
and
C) There is a 'IPv6' link in the left hand navigation panel which yeilds
a 404.

"The IPv6 employs a 128-bit system, rather then IPv4’s 32-bit, to
provide approximately 340 trillion unique addresses for users all over
the world.".
Hmm. 2^128=approx 340 trillion trillion, but not all IPv6 addresses are
usuable as 'unique addresses for users all over the world'.
I'll wait for a further indication that clue has arrived before I try
looking for firmware for my P660HW-T1 v2 again.

Dave Saville

unread,
Jun 8, 2012, 11:41:03 AM6/8/12
to
On Fri, 8 Jun 2012 13:15:58 UTC, Alfred E Neuman <nos...@invalid.uk>
wrote:
Same here - One of the P660s is still current but it's damn impossible
to get then to tell you which - I tried :-(
--
Regards
Dave Saville

Alfred E Neuman

unread,
Jun 8, 2012, 12:27:54 PM6/8/12
to
Dave Liquorice wrote:
> I'm half looking at what is going on but I think it will be a while
> yet before consumer grade kit has it as standard. There is some
> consumer grade stuff out there but still a bit buggy IMHO. And TBH I
> don't know enough about IPv6 to trust the window boxes on the LAN
> here to not be exposed directly to the internet. They are behind two
> layers of NAT currently...

Is there not anything like NAT available in IPv6? Surely it must be possible to
give computers on a LAN local addresses which are translated to global ones at
one gateway/firewall point, rather than forcing every computer in the world to
have a globally-accessible address. That would be a major step backwards for
security and privacy.

Dave Saville

unread,
Jun 8, 2012, 2:14:00 PM6/8/12
to
On Fri, 8 Jun 2012 16:27:54 UTC, Alfred E Neuman <nos...@invalid.uk>
wrote:
I don't think so. The plus side is that there are so many protocols
these days, SIP for one, that just don't want to play with NAT. There
are various kludges but with IPV6 they just work. After all - all one
needs is a proper firewall and there is no problem.

--
Regards
Dave Saville

David Woolley

unread,
Jun 8, 2012, 3:01:14 PM6/8/12
to
I got my first UCE from them recently, so I suspect they are in a
position where they are not able to spend on products that are not
earning them revenue, even if, in the longer term, people begin to doubt
their long term commitment to their products.

Dave Liquorice

unread,
Jun 8, 2012, 3:13:51 PM6/8/12
to
On Fri, 8 Jun 2012 18:14:00 +0000 (UTC), Dave Saville wrote:

>> Is there not anything like NAT available in IPv6?

Donno but what I know about IPv6 could be written on a Large stamp in
6pt type...

>> Surely it must be possible to give computers on a LAN local
addresses
>> which are translated to global ones at one gateway/firewall point,

>> rather than forcing every computer in the world to have a
>> globally-accessible address. That would be a major step backwards
for
>> security and privacy.

As I understand it when you get an IPv6 address you get a whole block
of 'em not just a single one like is the norm with IPv4 (and that
single one can often by dynamic). Some enlightened ISPs, such as A&A,
can (could?) give you a block if IPv4 address's but that is more of
the exception than the rule.

A&A offer the option of a /64 or /60 IPv6 address. The /60 gives you
16 /64 subnets. A single /64 subnet gives you
18,446,744,073,709,551,616 hosts, should be enough for most homes
B-)

You then have control, via your firewall, which of those /64 (or /60)
address's are actualy visible to the big nasty internet. Each is
technically a global address but that doesn't mean that traffic can
actually reach it.

> I don't think so. The plus side is that there are so many protocols
> these days, SIP for one, that just don't want to play with NAT.

NAT is an abortion when it comes to doing things properly or running
servers or things that require direct access to the net, like SIP.
For most home users NAT isn't a problem as virtually everything is
orginated within the LAN and the NAT box can spot the out going
packets and route the corresponding responses to the right place in
the LAN.

> After all - all one needs is a proper firewall and there is no problem.

That is the problem though "proper firewall", haven't a clue where to
start other than "DENY ALL"... B-) Then of course there is an awful
lot of legacy IPv4 only kit that still needs to work. Very few bits
of kit I have are IPv6 capable.

--
Cheers
Dave.



Alan Clifford

unread,
Jun 8, 2012, 2:51:42 PM6/8/12
to
Alfred E Neuman wrote (at 17:27 (+0100) on Friday, 8th June, 2012):

>
> Is there not anything like NAT available in IPv6?

I'm picturing the RevK banging his head against a wall.

--
Alan

( If replying by mail, please note that all "sardines" are canned.
However, unless this a very old message, a "tuna" will swim right
through. )

Alfred E Neuman

unread,
Jun 8, 2012, 5:24:12 PM6/8/12
to
Alan Clifford wrote:
> Alfred E Neuman wrote (at 17:27 (+0100) on Friday, 8th June, 2012):
>
>>
>> Is there not anything like NAT available in IPv6?
>
> I'm picturing the RevK banging his head against a wall.

I'm sure he is, but I can't take seriously the "NAT is evil!" brigade. The
implementation may suck, but the principle is sound. Just think back to what we
mean by "Internet" .. a protocol that joins together different networks, not
forcing every device in the world to be a member of a single network. It is
unreasonable, in my opinion, to insist that every device in the world, from my
mobile phone to a nuclear reactor in Iran (for example) to be part of the same
addressing space. We've seen recently what can happen to the latter of these
two devices when it was left exposed in this way.

Surely the idea should be to support a hierarchical structure in which every
device or set of devices has exactly the amount of inter-connectivity and
connectivity with the rest of the world that it needs. My humble bunch of PCs,
or all the PCs in a large corporation, should be able to communicate with each
other in complete privacy, only exposing themselves to the outside world as
much as is necessary to achieve their goals.

Firewalls are essential, of course, but relying on them as the sole source of
security is a bit like separating all of the rooms of my house so that I have
to walk through publicly-accessible spaces to get between them, then employing
armed guards at each of these interchanges to keep me safe. Of course we never
do things like that .. we build houses where trusted people (the occupants) can
roam freely between the rooms while the house as a whole is protected by locked
doors which are only opened when they are needed.

Nix

unread,
Jun 8, 2012, 6:55:32 PM6/8/12
to
On 8 Jun 2012, Alfred E. Neuman verbalised:

> Alan Clifford wrote:
>> Alfred E Neuman wrote (at 17:27 (+0100) on Friday, 8th June, 2012):
>>
>>>
>>> Is there not anything like NAT available in IPv6?
>>
>> I'm picturing the RevK banging his head against a wall.
>
> I'm sure he is, but I can't take seriously the "NAT is evil!" brigade.
> The implementation may suck, but the principle is sound. Just think
> back to what we mean by "Internet" .. a protocol that joins together
> different networks, not forcing every device in the world to be a
> member of a single network. It is unreasonable, in my opinion, to
> insist that every device in the world, from my mobile phone to a
> nuclear reactor in Iran (for example) to be part of the same
> addressing space. We've seen recently what can happen to the latter of
> these two devices when it was left exposed in this way.

Uh, both the nuclear reactor and the centifuges in Iran were not on the
Internet at all -- airgapped. Infections were spread by people carrying
in USB keys.

> Surely the idea should be to support a hierarchical structure in which
> every device or set of devices has exactly the amount of
> inter-connectivity and connectivity with the rest of the world that it
> needs.

That's great for the people at the top of the hierarchy. Not so great
for everyone else.

--
NULL && (void)

Dave Liquorice

unread,
Jun 8, 2012, 6:44:33 PM6/8/12
to
On Fri, 08 Jun 2012 22:24:12 +0100, Alfred E Neuman wrote:

> Just think back to what we mean by "Internet" .. a protocol that joins
> together different networks, not forcing every device in the world to be
> a member of a single network.

I think you are missing something fundemental. There is no difference
between the address space offered by IPv4 and that by IPv6, except
that the latter has rather more of it by virtue of using 128 bits
instead of 32.

The "private" address space in IPv4 (10.x.x.x, 172.16.0.0 to
172.31.255.255 and 192.168.x.x) is only private because the standards
say that those address's shouldn't be routed across the public
internet, note shouldn't there is no reason why they can't be.

Likewise you don't *have* to use space in those ranges for private
networks but if you don't you might run into problems if you connect
that network to the internet.

> ... we build houses where trusted people (the occupants) can roam freely
> between the rooms while the house as a whole is protected by locked
> doors which are only opened when they are needed.

Firewalls only need to go into the doors that you want protecting
they don't need to be run on individual PCs(*). So the firewall is at
the houses front door, once inside the house you can move freely.
Likewise those already inside are deemed to be trusted and can
likewise move freely. You can even have doors within the house
protected by other firewalls that allow house traffic through but
block traffic from the internet (or only allow traffic from a given
source) through.

(*) Having a firewall on individual PC's is probably another bad side
effect of NAT as there is no effective single firewall at the "door"
to the internet. That is something that inspects the *outgoing*
traffic and decides if it is allowed or not.

--
Cheers
Dave.



Alan Clifford

unread,
Jun 8, 2012, 7:19:27 PM6/8/12
to
Alfred E Neuman wrote (at 22:24 (+0100) on Friday, 8th June, 2012):
> Alan Clifford wrote:
>> Alfred E Neuman wrote (at 17:27 (+0100) on Friday, 8th June, 2012):
>>
>>>
>>> Is there not anything like NAT available in IPv6?
>>
>> I'm picturing the RevK banging his head against a wall.
>
>
> Surely the idea should be to support a hierarchical structure in which every
> device or set of devices has exactly the amount of inter-connectivity and
> connectivity with the rest of the world that it needs.

My other thought was even if the router had a public ipv6 address then
couldn't you still use ipv4 NAT for your home network? Or can't the
routers do that?

Roger Lynn

unread,
Jun 8, 2012, 8:41:19 PM6/8/12
to
According to
http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/ Network
Prefix Translation (NPT) provides the equivalent for IPv6.

Roger

Alfred E Neuman

unread,
Jun 9, 2012, 5:28:40 AM6/9/12
to
Alan Clifford wrote:
> Alfred E Neuman wrote (at 22:24 (+0100) on Friday, 8th June, 2012):
>> Alan Clifford wrote:
>>> Alfred E Neuman wrote (at 17:27 (+0100) on Friday, 8th June, 2012):
>>>
>>>>
>>>> Is there not anything like NAT available in IPv6?
>>>
>>> I'm picturing the RevK banging his head against a wall.
>>
>>
>> Surely the idea should be to support a hierarchical structure in which
>> every device or set of devices has exactly the amount of
>> inter-connectivity and connectivity with the rest of the world that it
>> needs.
>
> My other thought was even if the router had a public ipv6 address then
> couldn't you still use ipv4 NAT for your home network? Or can't the
> routers do that?

That would make sense, but then there would need to be some sort of NAT to
translate local IPv4 addresses to IPv6 in the outside world and back, which is
exactly the same issue.

Apart from security issues, surely there is a question of convenience. If I
should change ISP and get a new bank of IPv6 addresses then without something
like NAT I would have to change the IPs of all of my PCs (and in future perhaps
my TV, fridge, central heating system ..) to be in the new bank. It makes a lot
more sense to allocate everything a private address, like the 10.1.1.x
addresses I use at the moment, and map these to outside world addresses at one
common point which can also handle firewall duties.

Bob Eager

unread,
Jun 9, 2012, 5:53:03 AM6/9/12
to
On Sat, 09 Jun 2012 10:28:40 +0100, Alfred E Neuman wrote:

> Apart from security issues, surely there is a question of convenience.
> If I should change ISP and get a new bank of IPv6 addresses then without
> something like NAT I would have to change the IPs of all of my PCs (and
> in future perhaps my TV, fridge, central heating system ..) to be in the
> new bank. It makes a lot more sense to allocate everything a private
> address, like the 10.1.1.x addresses I use at the moment, and map these
> to outside world addresses at one common point which can also handle
> firewall duties.

Not really, no. For example, in the IPv4 world you just change the DNS
entries, DHCP follows, and it just works. There are different, but
functionally equivalent, facilities in the IPv6 world. It takes a couple
of minutes to do it all - I've done it twice now.



--
Use the BIG mirror service in the UK:
http://www.mirrorservice.org

*lightning protection* - a w_tom conductor

Alfred E Neuman

unread,
Jun 9, 2012, 6:12:21 AM6/9/12
to
Roger Lynn wrote:
> According to
> http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/ Network
> Prefix Translation (NPT) provides the equivalent for IPv6.

Sheesh! The more I look into IPv6 the longer I hope I'll be able to continue
using IPv4 while the mess is sorted out. I estimate at least 10 years before
it's an easy-to-use option for non-netgeeks (never mind ordinary consumers) to
use on small LANs or even single computers.

Alfred E Neuman

unread,
Jun 9, 2012, 6:22:15 AM6/9/12
to
Bob Eager wrote:
> On Sat, 09 Jun 2012 10:28:40 +0100, Alfred E Neuman wrote:
>
>> Apart from security issues, surely there is a question of convenience.
>> If I should change ISP and get a new bank of IPv6 addresses then without
>> something like NAT I would have to change the IPs of all of my PCs (and
>> in future perhaps my TV, fridge, central heating system ..) to be in the
>> new bank. It makes a lot more sense to allocate everything a private
>> address, like the 10.1.1.x addresses I use at the moment, and map these
>> to outside world addresses at one common point which can also handle
>> firewall duties.
>
> Not really, no. For example, in the IPv4 world you just change the DNS
> entries, DHCP follows, and it just works. There are different, but
> functionally equivalent, facilities in the IPv6 world. It takes a couple
> of minutes to do it all - I've done it twice now.

Assuming I want to use DHCP on my LAN, which of course assumes the DHCP server
will be running at all times. My DHCP server, when I use it at all, is in my
ADSL router. Presumably if this developed a fault or was off-line for some
other reason then I wouldn't be able to exchange data between devices on my
LAN. If I had to rely on DHCP provided remotely (as presumably I would have to
do if I was not the one assigning the IP addresses) then the whole operation of
my local network would be dependent on a 24/7 connection to the outside world.

It's bad enough being disconnected from the Internet when BT or AA have a
fault. I'm not going to put up with such a fault also breaking my LAN.

Oh yes, I suppose I should have my own duplicated DHCP servers, DNS servers,
firewall boxes and so on. Just how much am I suppose to spend and how long am I
supposed to take learning all of this stuff for the privilege of entering the
brave new world of 2^128 IP addresses?

Dave Liquorice

unread,
Jun 9, 2012, 6:28:23 AM6/9/12
to
On Sat, 09 Jun 2012 10:28:40 +0100, Alfred E Neuman wrote:

>> My other thought was even if the router had a public ipv6 address
then
>> couldn't you still use ipv4 NAT for your home network? Or can't
the
>> routers do that?

Donno, which is another reason for not jumping into IPv6 with both
feet, a slow tentative big toe first approach is much more sensible.
Thinking about it any device for the domestic market that doesn't
have IPv6 <> IPv4 mapping is putting itself at a huge disadvantage. I
don't think the Wii or DS do IPv6, fairly sure the TV and Blu-Ray
don't either. They are all fine behind NAT though. Should I venture
into VOIP phones they really do need a public address.

> Apart from security issues, ...

Which in reality don't exist as explained before as the firewall will
stop access to anything you don't want to expose.

> ... surely there is a question of convenience. If I should change ISP
> and get a new bank of IPv6 addresses then without something like NAT I
> would have to change the IPs of all of my PCs (and in future perhaps my
> TV, fridge, central heating system ..) to be in the new bank.

IPv6 has DHCP... I gave up on a static based network once I got above
about four devices for more or less just the reason you state, too
hard to maintain and manage when new kit arrives.

Bear in mind that a /96 IPv6 subnet can contain the *entire* IPv4
address space... Indeed there is a convention:

http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding-2.htm

But it isn't that simple at the packet level, with ports, protocols,
checksums, etc etc...

--
Cheers
Dave.



Alfred E Neuman

unread,
Jun 9, 2012, 6:55:18 AM6/9/12
to
Dave Liquorice wrote:
> Thinking about it any device for the domestic market that doesn't
> have IPv6 <> IPv4 mapping is putting itself at a huge disadvantage. I
> don't think the Wii or DS do IPv6, fairly sure the TV and Blu-Ray
> don't either. They are all fine behind NAT though. Should I venture
> into VOIP phones they really do need a public address.

How does mapping from an IPv4 LAN to IPv6 WAN work? Presumably at some point
there will be no global IPv4 addresses left so new web servers (etc) that I
need to connect to will only have IPv6 addresses, and my browser (or whatever)
will have to connect using these. How will this be done if everything on the
LAN side of the router is still using IPv4?

BTW, I use a VOIP phone (Voipfone account) via my Zyxel router which uses NAT,
and it works fine.

David Lord

unread,
Jun 9, 2012, 6:58:18 AM6/9/12
to
Alfred E Neuman wrote:
> Alan Clifford wrote:
>> Alfred E Neuman wrote (at 22:24 (+0100) on Friday, 8th June, 2012):
>>> Alan Clifford wrote:
>>>> Alfred E Neuman wrote (at 17:27 (+0100) on Friday, 8th June, 2012):
>>>>
>>>>>
>>>>> Is there not anything like NAT available in IPv6?
>>>>
>>>> I'm picturing the RevK banging his head against a wall.
>>>
>>>
>>> Surely the idea should be to support a hierarchical structure in
>>> which every device or set of devices has exactly the amount of
>>> inter-connectivity and connectivity with the rest of the world that
>>> it needs.
>>
>> My other thought was even if the router had a public ipv6 address then
>> couldn't you still use ipv4 NAT for your home network? Or can't the
>> routers do that?
>
> That would make sense, but then there would need to be some sort of NAT
> to translate local IPv4 addresses to IPv6 in the outside world and back,
> which is exactly the same issue.

For many years I've used a ipv6 tunnel as my adsl router
doesn't support native ipv6. It's still working as one of my
servers gets one of its ntp sources via ipv6 and I run
download tests several times a day with one being ipv6 which
is a bit slower than from the ipv4 tests. My email server,
xmail on netbsd, is also ipv6 capable and tested many years
ago to/from the developer of xmail.

>
> Apart from security issues, surely there is a question of convenience.
> If I should change ISP and get a new bank of IPv6 addresses then without
> something like NAT I would have to change the IPs of all of my PCs (and
> in future perhaps my TV, fridge, central heating system ..) to be in the
> new bank. It makes a lot more sense to allocate everything a private
> address, like the 10.1.1.x addresses I use at the moment, and map these
> to outside world addresses at one common point which can also handle
> firewall duties.

You have enough addresses for NAT not to be needed. You provide
security by using normal firewall rules. At least on my firewall
that uses less resources than NAT.


David

Dave Liquorice

unread,
Jun 9, 2012, 7:07:17 AM6/9/12
to
On Sat, 09 Jun 2012 11:22:15 +0100, Alfred E Neuman wrote:

> Assuming I want to use DHCP on my LAN, which of course assumes the DHCP
> server will be running at all times. My DHCP server, when I use it at
> all, is in my ADSL router.

So you switch your ADSL router off? Each to their own. B-)

> Presumably if this developed a fault or was off-line for some other
> reason then I wouldn't be able to exchange data between devices on my
> LAN.

That depends on what the lease timeout is that accompanies a DHCP
issued IP address is. Devices will retain and use their issued
address up until that lease runs out they will then re-request it.
Most DHCP servers will just re-issue the same addres to the same MAC
with the same lease duration. Devices restarted with the DHCP server
offline or with timed out leases would have problem but anything with
a valid lease should be fine with the DHCP server on or off line.

> If I had to rely on DHCP provided remotely (as presumably I would have
> to do if I was not the one assigning the IP addresses) then the whole
> operation of my local network would be dependent on a 24/7 connection to
> the outside world.

As I understand it you get a block (/60 or /64) of IPv6 address's and
how you allocate them is up to you. You'd simply tell your DHCP
server the range of address's it is allowed to allocate, just like
you do with IPv4.

> It's bad enough being disconnected from the Internet when BT or AA have
> a fault. I'm not going to put up with such a fault also breaking my LAN.

It won't if you leave your DHCP server powered up.

> Oh yes, I suppose I should have my own duplicated DHCP servers, DNS
> servers, firewall boxes and so on. Just how much am I suppose to spend
> and how long am I supposed to take learning all of this stuff for the
> privilege of entering the brave new world of 2^128 IP addresses?

All those boxes would be integrated into the the IPv6 ADSL router,
except the DNS those requests will just be forwarded to your ISPs DNS
machines, the address's being obtained either by WAN side DHCP or
statically configured (as with IPv4). The firewall may need a bit of
tweaking but I would hope that the defaults are sensible like denying
all access to internal devices unless specifically configured,
outgoing might be a bit trickier to prevent malware on an internal
machine access to the internet.

IPv6 consumer kit is becoming available but isn't mature yet. Give it
a year. The big problem will be legacy IPv4 only kit and the IPv6 <>
IPv4 translation that such kit will (eventually) require. I say
eventually as there is no reason why a box can't run IPv4 and IPv6 in
parrallel with no translation between the two. Just swap out your
ADSL router for an IPV6 and IPV4 capable one, your current IPv4 kit
just works as now, that kit that can use IPv6 does so. At some point
the internet will become predominantly IPv6 only and IPv4 kit will
start to have problems but that is going to take a while and decent
ISPs will have IPv6 <> IPv4 translation servers (A&A already do).

--
Cheers
Dave.



Alfred E Neuman

unread,
Jun 9, 2012, 7:30:36 AM6/9/12
to
David Lord wrote:
> Alfred E Neuman wrote:
>> Apart from security issues, surely there is a question of convenience.
>> If I should change ISP and get a new bank of IPv6 addresses then
>> without something like NAT I would have to change the IPs of all of my
>> PCs (and in future perhaps my TV, fridge, central heating system ..)
>> to be in the new bank. It makes a lot more sense to allocate
>> everything a private address, like the 10.1.1.x addresses I use at the
>> moment, and map these to outside world addresses at one common point
>> which can also handle firewall duties.
>
> You have enough addresses for NAT not to be needed. You provide
> security by using normal firewall rules. At least on my firewall
> that uses less resources than NAT.

You're missing the point, which is that I shouldn't have to tie the internal
addresses of my LAN (which may one day include every electronic device in the
house) to a range of addresses defined in the outside world. What about if I
want to reorganise the LAN locally? What about if I change to another ISP, or
if AA decide they need to reorganise my IP addresses (which I think they
reserve the right to do)?

It's nice to have a bank of 2^64 addresses all allocated to me, but they are
not mine. They could disappear at any time due to a fault or due to someone
like RIPE bringing in new terms and conditions which I don't accept. My LAN is
truly my own, and the big, bad world of the Internet begins and ends at the router.

As for security, the best security I can think of for one of my local machines
is for the address to access it to be unknown to the world at large. A few
years ago it only took a blip of a few seconds when my firewall went offline
for a PC to get infected with a trojan. Some firewalls (ZoneAlarm for example)
have to be closed down and restarted whenever the machine's IP address is
changed. If the machine had an address accessible from the outside world it
would be vulnerable to attack at that point.

Rodney Pont

unread,
Jun 9, 2012, 8:12:32 AM6/9/12
to
On Sat, 09 Jun 2012 12:30:36 +0100, Alfred E Neuman wrote:

>You're missing the point, which is that I shouldn't have to tie the internal
>addresses of my LAN (which may one day include every electronic device in the
>house) to a range of addresses defined in the outside world. What about if I
>want to reorganise the LAN locally? What about if I change to another ISP, or
>if AA decide they need to reorganise my IP addresses (which I think they
>reserve the right to do)?

Just use site local addresses, these begin with FEC0 see:

http://www.ruwenzori.net/ipv6/Jims_LAN_IPv6_global_connectivity_howto.html

or search for something newer yourself.

I don't know much about ipv6 yet but have an address block and an ipv6 capable
modem/router (Technicolor TG582n) so I'm starting to learn.


--
Regards - Rodney Pont
The from address exists but is mostly dumped,
please send any emails to the address below
e-mail rpont (at) gmail (dot) com


Alfred E Neuman

unread,
Jun 9, 2012, 8:49:12 AM6/9/12
to
Rodney Pont wrote:
> On Sat, 09 Jun 2012 12:30:36 +0100, Alfred E Neuman wrote:
>
>> You're missing the point, which is that I shouldn't have to tie the internal
>> addresses of my LAN (which may one day include every electronic device in the
>> house) to a range of addresses defined in the outside world. What about if I
>> want to reorganise the LAN locally? What about if I change to another ISP, or
>> if AA decide they need to reorganise my IP addresses (which I think they
>> reserve the right to do)?
>
> Just use site local addresses, these begin with FEC0 see:
>
> http://www.ruwenzori.net/ipv6/Jims_LAN_IPv6_global_connectivity_howto.html

Are these site local addresses instead of or in addition to each machine having
a global IPv6 address? If "instead" than I would still need something like NAT
to connect to the outside world. If "in addition" then there is still the
problem of every machine having an address accessible from the outside world,
which (a) makes it vulnerable if for any reason there isn't a cast-iron
firewall protecting it, and (b) means all machines have to be changed if the
global IP address set should happen to change.

David Woolley

unread,
Jun 9, 2012, 9:35:36 AM6/9/12
to
Alfred E Neuman wrote:

>
> Are these site local addresses instead of or in addition to each machine
> having a global IPv6 address? If "instead" than I would still need
> something like NAT to connect to the outside world. If "in addition"

Run two local networks, one routable and one not routable. Even with my
IP V4 660HW I do that. The Linux machine has a routable address. The
Windows netbook has a NATted 192.168.... address.

David Lord

unread,
Jun 9, 2012, 9:32:11 AM6/9/12
to
You keep the same ipv6 addresses either from your allocation
or can use the devices own ipv6 addresses which are fixed in
their own hardware.

If you have an ipv6 enabled router just block all until you
feel able to use ipv6 and then just allow/deny traffic as
you want.

David

Nix

unread,
Jun 9, 2012, 10:52:11 AM6/9/12
to
On 9 Jun 2012, Alfred E. Neuman told this:

> Bob Eager wrote:
>> Not really, no. For example, in the IPv4 world you just change the DNS entries, DHCP follows, and it just works. There are
>> different, but functionally equivalent, facilities in the IPv6 world. It takes a couple of minutes to do it all - I've done it
>> twice now.
>
> Assuming I want to use DHCP on my LAN, which of course assumes the
> DHCP server will be running at all times. My DHCP server, when I use
> it at all, is in my ADSL router.

The IPv6 equivalent, RA, is mandatory and always running, always
advertising the applicable route prefix: IPv6 pretty much won't work at
all without it. (It's not a crock like DHCP, but wired into the protocol
much like ARP is for IPv4 -- in fact it supplants both DHCP *and* ARP.)

> Presumably if this developed a
> fault or was off-line for some other reason then I wouldn't be able to
> exchange data between devices on my LAN.

And if your machines were unable to ARP they would also be in trouble.
Since RA handles both...

> If I had to rely on DHCP
> provided remotely (as presumably I would have to do if I was not the
> one assigning the IP addresses) then the whole operation of my local
> network would be dependent on a 24/7 connection to the outside world.

Most RA daemons allow the specification of a default route prefix which
they advertise if they are not told otherwise. (You generally flip this
when you migrate your primary ISP, if you have more than one.)

If the original IPv6 conception of DNS had been fully implemented, DNS
would have magically followed -- as it is, you need to fiddle with DNS
whenever this happens (ew, ick).

--
NULL && (void)

Nix

unread,
Jun 9, 2012, 11:05:05 AM6/9/12
to
On 9 Jun 2012, Alfred E. Neuman verbalised:
I hate to point it out, but it's *entirely automatic* on virtually every
consumer OS presently on sale (i.e., you need do nothing at all as long
as your ISP supports it). This has been true for years.

--
NULL && (void)

Andrew Hodgson

unread,
Jun 10, 2012, 6:38:23 AM6/10/12
to
On Fri, 8 Jun 2012 19:51:42 +0100, Alan Clifford
<sard...@purse-seine.net> wrote:

>Alfred E Neuman wrote (at 17:27 (+0100) on Friday, 8th June, 2012):
>
>>
>> Is there not anything like NAT available in IPv6?
>
>I'm picturing the RevK banging his head against a wall.

Yes, and imho it is going to be a huge struggle to actually get to the
desired point where NAT is abolished for most cases.

Taking current work for example, we have the setup of a few public
external IP addresses and a Cisco firewall doing all the NAT between
the private IP addresses and the public IP addresses. We had a
meeting with the network provider regarding going IPV6, and the
general consensus was to enable the IPV6 on the external interface
only and continuing using the IPV4 addresses internally. I was the
only one in the room suggesting getting a public 2001 block and
assigning that to the internal hosts, then allow the external
connections to come in on the relevant ports to the DMZ hosts.
Everyone else thought I was totally mad, and the basis argument
against this is always security.

So I think we have a lot of work to get to before we get to get rid of
NAT altogether.

Andrew.

Andrew Hodgson

unread,
Jun 10, 2012, 6:47:39 AM6/10/12
to
On Sat, 09 Jun 2012 10:28:40 +0100, Alfred E Neuman
<nos...@invalid.uk> wrote:

>Apart from security issues, surely there is a question of convenience. If I
>should change ISP and get a new bank of IPv6 addresses then without something
>like NAT I would have to change the IPs of all of my PCs (and in future perhaps
>my TV, fridge, central heating system ..) to be in the new bank. It makes a lot
>more sense to allocate everything a private address, like the 10.1.1.x
>addresses I use at the moment, and map these to outside world addresses at one
>common point which can also handle firewall duties.

This is one question I still would like clarification on. Yes, we
have RA for IPV6, but giving the example of a firewall which blocks
connections to and from specific IP addresses and multiple subnets,
and reconfiguring DNS entries, for a large company that would be a
real issue. That is one reason I held off getting IPV6 for the
company, I would rather get a block of addresses that I know we own
specifically and can arrange routes to, rather than it being tied to
an ISP.

Andrew.

Roger Lynn

unread,
Jun 10, 2012, 3:37:42 PM6/10/12
to
On 09/06/12 10:53, Bob Eager wrote:
> On Sat, 09 Jun 2012 10:28:40 +0100, Alfred E Neuman wrote:
> Not really, no. For example, in the IPv4 world you just change the DNS
> entries, DHCP follows, and it just works. There are different, but
> functionally equivalent, facilities in the IPv6 world. It takes a couple
> of minutes to do it all - I've done it twice now.

I thought DHCP wasn't necessary for IPv4? Isn't there some sort of
autoconfiguration thingummy?

My problem is that I don't know if I can trust myself to set up an IPv6
firewall, something I have no difficulty doing for IPv4. I think I might
have to try to persuade my boss to send me on one of AAISP's training
courses, but as sysadminning isn't my primary job that might not be easy.

Roger

Dave Liquorice

unread,
Jun 10, 2012, 5:04:11 PM6/10/12
to
On Sun, 10 Jun 2012 20:37:42 +0100, Roger Lynn wrote:

> I thought DHCP wasn't necessary for IPv4? Isn't there some sort of
> autoconfiguration thingummy?

DHCP *is* the autoconfiguration thingummy... Dynamic Host
Configuration Protocol. IPv6 has it's own variants

--
Cheers
Dave.



Alfred E Neuman

unread,
Jun 11, 2012, 6:47:13 AM6/11/12
to
If everyone needs to use the IPv6 equivalent of DHCP to assign dynamic IPs to
all of the machines on the LAN, doesn't this defeat the whole point of giving
every machine on the Internet a fixed address (and hence the primary reason for
railing against NAT)?
Message has been deleted

Dave Liquorice

unread,
Jun 11, 2012, 8:22:16 AM6/11/12
to
On Mon, 11 Jun 2012 11:47:13 +0100, Alfred E Neuman wrote:

>>> I thought DHCP wasn't necessary for IPv4? Isn't there some sort
of
>>> autoconfiguration thingummy?
>>
>> DHCP *is* the autoconfiguration thingummy... Dynamic Host
>> Configuration Protocol. IPv6 has it's own variants
>
> If everyone needs to use the IPv6 equivalent of DHCP to assign dynamic
> IPs to all of the machines on the LAN,

Break the association between "dynamic" and "changes". My LAN uses
DHCP but anything that gets connected gets it's own IP address from
the range I have set. If I disconnect that device, and plug something
else in that new device will get the next, never used, address. If I
plug the orginal box back in. even years later. it will get the same
IP address as it had before. Indeed getting the old records for kit
that has gone WEEE out of the leases file may become an issue...

> ... doesn't this defeat the whole point of giving every machine on the
> Internet a fixed address (and hence the primary reason for railing
> against NAT)?

DHCP and NAT are not related.

DHCP enables you to come along with a machine plug it in and it
"discovers" what the address of the gateway, DNS and it's IP address
on that particular LAN are. You don't have to delve into the set up
of the machine and find out from some where (where?) what address's
to use for that particular LAN. You can the unplug that machine take
it somwhere else plug it in and get a completley different set of
address's all automagically and without having to know anything about
the LAN you are connecting to.

I believe that there is a way for a given machine to "advertise"
itself that it now has X IP address so the rest of the internet can
still find that physical machine as it changes IP. Always assuming
the LANs firewall will allow that... I have some other sneaky feeling
that an IPv6 IP address is also broken down into "network" and "host"
sections so it retains the "host" part all the time and just needs to
say "I'm now in in network Y".

NAT is just a translation between WAN and LAN network address's/ports
and generally relies on all "connections" orginating within the LAN.
It can't sensibly cope with any random connection from the WAN to
something the otherside of the NAT. This can be worked around but is
not ideal.

--
Cheers
Dave.



Dave Saville

unread,
Jun 11, 2012, 9:31:23 AM6/11/12
to
On Mon, 11 Jun 2012 12:22:16 UTC, "Dave Liquorice"
<allsortsn...@howhill.co.uk> wrote:

<snip>

> I believe that there is a way for a given machine to "advertise"
> itself that it now has X IP address so the rest of the internet can
> still find that physical machine as it changes IP. Always assuming
> the LANs firewall will allow that... I have some other sneaky feeling
> that an IPv6 IP address is also broken down into "network" and "host"
> sections so it retains the "host" part all the time and just needs to
> say "I'm now in in network Y".

Does it not use the MAC address as the "host" part?

--
Regards
Dave Saville

Jim Crowther

unread,
Jun 11, 2012, 9:55:46 AM6/11/12
to
In uk.net.providers.aaisp, on Mon, 11 Jun 2012 13:22:16, Dave Liquorice
wrote:

>I have some other sneaky feeling that an IPv6 IP address is also broken
>down into "network" and "host" sections so it retains the "host" part
>all the time and just needs to say "I'm now in in network Y".

That is my understanding, observing what should be happening with the
Technicolor router.

The router supplies the prefix (first 64 bits) to the PC [1], which uses
its interface MAC address to compile the suffix[2], the two together
making up the complete IP address[3]. So the suffix will remain
constant, though the prefix may vary, depending on the router
connection. So as far as the LAN is concerned, there's no longer any
need to manually set up IP addresses in every machine. It all 'just
happens'.

Here:
[1] 2001:8b0:86:0::/64
[2] 74-e5-0b-1a-00-ee >> 76e5:0bff:fe1a:00ee
[3] 2001:8b0:86::76e5:bff:fe1a:ee

--
Jim Crowther

Dave Liquorice

unread,
Jun 11, 2012, 11:12:30 AM6/11/12
to
On Mon, 11 Jun 2012 13:31:23 +0000 (UTC), Dave Saville wrote:

>> I have some other sneaky feeling that an IPv6 IP address is also
broken
>> down into "network" and "host" sections so it retains the "host"
part
>> all the time and just needs to say "I'm now in in network Y".
>
> Does it not use the MAC address as the "host" part?

Quite possibly, Mr Crowther's post rings a little bell. I think what
we all need is an very basic IPv6 primer.

--
Cheers
Dave.



Jim Crowther

unread,
Jun 11, 2012, 2:50:26 PM6/11/12
to
In uk.net.providers.aaisp, on Mon, 11 Jun 2012 16:12:30, Dave Liquorice
wrote:
For Windows 7: I went to http://test-ipv6.com and found my IP address
wasn't what I thought it should be. A bit of Googling found this:
http://blackundertone.wordpress.com/2011/08/04/disable-windows-7-ipv6-random-temporary-addresses/

So it looks like M$ have managed to break the system again...

--
Jim Crowther

Nix

unread,
Jun 11, 2012, 5:15:49 PM6/11/12
to
On 11 Jun 2012, Jim Crowther said:
> For Windows 7: I went to http://test-ipv6.com and found my IP address
> wasn't what I thought it should be. A bit of Googling found this:
> http://blackundertone.wordpress.com/2011/08/04/disable-windows-7-ipv6-random-temporary-addresses/
>
> So it looks like M$ have managed to break the system again...

Temporary addresses are an RFC-standardized security/anonymity feature,
not an MS brokenness. (Linux supports them too, as do most other OSes
supporting IPv6.)

--
NULL && (void)

Roger Lynn

unread,
Jun 11, 2012, 5:48:07 PM6/11/12
to
What about Neighbour Discovery Protocol? Wikipedia says:

"Although DHCPv6 exists, IPv6 hosts normally use the Neighbor Discovery
Protocol to create a globally routable unicast address: the host sends
router solicitation requests and an IPv6 router responds with a prefix
assignment."

Roger

Jim Crowther

unread,
Jun 11, 2012, 7:10:24 PM6/11/12
to
In uk.net.providers.aaisp, on Mon, 11 Jun 2012 22:15:49, Nix wrote:

>On 11 Jun 2012, Jim Crowther said:
>> For Windows 7: I went to http://test-ipv6.com and found my IP address
>> wasn't what I thought it should be. A bit of Googling found this:
>>
>>http://blackundertone.wordpress.com/2011/08/04/disable-windows-7-ipv6-r
>>andom-temporary-addresses/
>>
>> So it looks like M$ have managed to break the system again...
>
>Temporary addresses are an RFC-standardized security/anonymity feature,

An excellent option to have, but...

>not an MS brokenness. (Linux supports them too, as do most other OSes
>supporting IPv6.)

...it's broken (IMHO) that they are applied automagically in Windows by
default, instead of being an openly offered choice (with possibly a
brief explanation). Much confusion for newbies to IPv6, which many of
us are.

Now turned off here.

In a few years (maybe decades, but the principle applies) when IPv6 is
pretty much deployed, people will still want to be able to access their
systems from afar - easy with IPv4, but automatic default 'temporary
addresses' will cause much head-scratching for many I fear.

--
Jim Crowther

Dave Liquorice

unread,
Jun 11, 2012, 8:39:30 PM6/11/12
to
On Tue, 12 Jun 2012 00:10:24 +0100, Jim Crowther wrote:

>>Temporary addresses are an RFC-standardized security/anonymity
feature,
>
> An excellent option to have, but...
>
> >not an MS brokenness. (Linux supports them too, as do most other OSes
> >supporting IPv6.)
>
> ....it's broken (IMHO) that they are applied automagically in Windows by
> default, instead of being an openly offered choice (with possibly a
> brief explanation).

Agreed as MS quite often do the default they have choosen is the
"wrong" one for simplicity of general use. The they bury the changing
of the default several non-intuative menus down in the GUI or with
magic CLI incantations.

--
Cheers
Dave.



Message has been deleted

Simon Farnsworth

unread,
Jun 12, 2012, 12:58:51 AM6/12/12
to
Note that a system with temporary addresses enabled has two IPv6 addresses,
minimum. One is the permanent global address, intended for use with incoming
connections, the other is the temporary address used for outgoing
connections.

The idea is that someone trying to track you across multiple networks by MAC
address can't do so - the lower 64 bits of the address they see are random
and keep changing.

Of course, this does mean that you need better tooling than
"http://www.whatismyip.com/" type sites to determine what your IPv6 address
is for inbound connections.
--
Simon Farnsworth

Nix

unread,
Jun 12, 2012, 4:37:57 AM6/12/12
to
On 12 Jun 2012, Jim Crowther said:

> In uk.net.providers.aaisp, on Mon, 11 Jun 2012 22:15:49, Nix wrote:
>>not an MS brokenness. (Linux supports them too, as do most other OSes
>>supporting IPv6.)
>
> ...it's broken (IMHO) that they are applied automagically in Windows
> by default, instead of being an openly offered choice (with possibly a
> brief explanation). Much confusion for newbies to IPv6, which many of
> us are.

Nope. It's the right decision for an OS on which most connections will
be outbound (which certainly applies to consumer installations of
Windows), as it makes it impossible to do intrusive per-IP tracking of
users, improving privacy by default. People running servers should know
how to look up the permanent address (which will always exist).

The biggest downside of temporary addresses is that designers of routers
and switches should allow for them in their design -- i.e., that they
cannot maintain a strictly time-expired neighbour table (IPv4
equivalent: ARP table) but must instead expire in some other fashion,
perhaps least-frequently-used, which has the advantage of preventing
someone using temporary addresses and opening a lot of new connections
from forcing more frequent neighbour table lookups for machines on the
same subnet with persistent addresses. (They should have done this
anyway, of course: a strictly-time-expired neighbour table of finite
size has always been vulnerable to DoS attacks.)

--
NULL && (void)

Jim Crowther

unread,
Jun 12, 2012, 5:08:42 AM6/12/12
to
In uk.net.providers.aaisp, on Tue, 12 Jun 2012 05:58:51, Simon
Thanks for the explanations folks. :)

As you've no doubt gathered, I'm very new to getting my head around all
this, so these snippets are very useful.

--
Jim Crowther

Eddie Pounce

unread,
Jun 12, 2012, 6:25:07 AM6/12/12
to
I found the following a really useful primer:

http://www.ipv6forum.com/dl/books/the_second_internet.pdf

--
Eddie

Jim Crowther

unread,
Jun 12, 2012, 9:58:58 PM6/12/12
to
In uk.net.providers.aaisp, on Tue, 12 Jun 2012 11:25:07, Eddie Pounce
wrote:
An excellent read - thank you. Privacy settings now reset. ;)

You sig sep is slipping though. ;)

--
Jim Crowther

Dave Liquorice

unread,
Jun 13, 2012, 6:27:32 AM6/13/12
to
On Tue, 12 Jun 2012 11:25:07 +0100, Eddie Pounce wrote:

> I found the following a really useful primer:
>
> http://www.ipv6forum.com/dl/books/the_second_internet.pdf

A 306 page primer... with quite a bit of history and background.
Having half read half skimmed the first chapter if the rest of it is
similar it should be useful. Think I might jump to chapter 3, or is
it 4, that look as if they might start talking about the nitty gritty
of IPv6. B-)

--
Cheers
Dave.



0 new messages