From: Rick Astley (no email)
Date: Wed Jan 02 2008 - 20:34:04 EST
Some of the comments here have cleared things up a bit.
I suspect we will see NAT doing some 4to6 and 6to4 through migration, but
there is little reason to use NAT in place of stateful firewall in the v6 to
v6 world.
I think RFC3041 (Privacy Extensions) and RFC4864 (Local Network Protection)
answer my question about MAC address privacy. I have to do some research on
this, but does anyone know if Vista's IP stack is RFC3041 compliant today?
(I believe OSX is but I don't know if it is enabled by default)
On to IP address allocation again:
So I was thinking of /64 as "one subnet" consisting of multiple nodes, when
in practice a /64 is more like one node.
This does open up some interesting possibilities like using multiple IP
addresses within a /64 on a single machine. You could do things on the
client side like separating applications into different "security zones"
with individual IP addresses, or giving individual users on the system their
own IP addresses so you can do user/zone specific firewall policies.
You could have the OS allocate an IP to a local peripheral like a printer
that is shared with the local network to prevent creating a potential
vulnerability on one of the IP addresses applications are using to connect
to the Internet.
This is cool, but it also means that the /64 is the new /32, and /56 is the
new /24.
So in cases where it is anticipated that the client will (or eventually
will) have more than ~255 devices, a /48 is recommended.
So now it is starting to become clear why people are handing out /48's to
end users.
|
|
|