<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Even though I wasn’t the organizer last night, I want
to thank everyone who showed up and participated. I found it very
informative and interesting, and apparently so did many other people,
reluctantly getting up to go home after 9, for the sake of needing to go home *<b>some</b>*
time. ;-)<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>There were several points of interest I thought were
valuable to stab a little deeper into:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Even as ISP’s roll out IPv6, they will not kill IPv4
anytime soon (not in the next 5 yrs.) So for now, that’s the
solution to the DNS problem. Apple, MS, etc have plenty of time to work
out the details of DNS deployment, DHCPv6 and so on. Someday, you might
have to pay extra to have IPv4 enabled on your network connection.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The references that I cited were: Running IPv6, Iljitsch
van Beijnum. It’s good for an understanding of IPv6, but since it’s
like 5 yrs old, it’s out-of-date in terms of configuring IPv6 on your
system. Fortunately, that doesn’t matter at all, because nowadays, enabling
IPv6 is trivial.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I could share it with anyone if they want, up to 2 weeks, if
you happen to have a kindle (or willing to use the mac or windows amazon kindle
reader). That should be enough to read the whole thing for all the
interesting parts. Also, I said it was $10. Sorry, my mistake, it’s
$35 to buy.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I mentioned NAT-PMP. <a
href="http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol">http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol</a><o:p></o:p></p>
<p class=MsoNormal>And I couldn’t remember the name of IGD. <a
href="http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol">http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol</a><o:p></o:p></p>
<p class=MsoNormal>These are protocols that allow a NAT IPv4 device to
communicate with the perimeter firewall, to auto-configure a hole through the
firewall, to enable inbound traffic, to support peer-to-peer traffic.
Today, these protocols are not widely built-in to firewalls. But some do
support it. Generally speaking, professional level security appliances
don’t support it, but hopefully that will become optional in the near
future (and controllable via system policy), because I feel it’s a very
valuable thing, to enable peer-to-peer video conferences for example.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The thing that’s nice about NAT-PMP and IGD is that
the client must explicitly request the hole opened at the perimeter firewall
before it’s allowed in. So this is an additional layer of security,
above just your software firewall. Obviously, nobody feels very
comfortable simply exposing all their internal IP’s to the
Internet. So this helps facilitate communications without sacrificing security.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Today, if you want to do p2p, the recommendation would be
IPv4, with one of these. Most p2p apps support it (skype, bit torrent, and
many H323 or SIP clients, etc). The question that remains is whether or
not your perimeter firewall supports it.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Moving forward, if you have world routable IPv6 addresses,
there’s no need for NAT and hence no need for NAT-PMP or IGD.
However … As mentioned before, the only security that NAT offers
you is implicitly blocking inbound unknown traffic. Moving forward, the
recommendation would be to still enable the firewall to block inbound unknown
traffic. In which case, the recommendation would be to use IPv6, *<b>and</b>*
NAT-PMP or IGD, or the alternative du-jour.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Not previously mentioned, the other security that NAT offers
is internal network roadmap masking. That is, somebody outside has no way
of knowing your internal network topology or subnet ranges and possible router
hops. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Believe it or not, IPv6 can be NAT’d if you want
to. (Though implementation may be sparse or nonexistent right now.)
Many of the IETF idealists would scoff at that as being sacreligious and
defeating the purpose, but you can see how slowly things move when you’re
trying to be ideal. If striving for perfection, then critical components
(DNS, DHCP) get left out by the time you need to use them. So, just as
you can expect people to use DHCPv6 despite extremist objections, so you can
expect some organizations to do IPv6 NAT sometimes despite the extremist views
of individuals in the IETF. Specifically because they don’t want to
expose the internal network roadmap. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>One thing that’s cool is: If you do NAT your
IPv6, you have a very large number of external IP’s. So you could
do a one-to-one mapping of internal IP’s to external IP’s, instead
of the many-to-one mapping that’s generally used in IPv4. Thus, you
eliminate the p2p problems that IPv4 NAT has, and you’re still able to do
NAT.<o:p></o:p></p>
</div>
</body>
</html>