From: Mohacsi Janos (no email)
Date: Thu Jan 03 2008 - 04:41:28 EST
On Wed, 2 Jan 2008, Rick Astley wrote:
> Some of the comments here have cleared things up a bit.
>
> I suspect we will see NAT doing some 4to6 and 6to4 through migration, but
> there is little reason to use NAT in place of stateful firewall in the v6 to
> v6 world.
>
> I think RFC3041 (Privacy Extensions) and RFC4864 (Local Network Protection)
> answer my question about MAC address privacy. I have to do some research on
> this, but does anyone know if Vista's IP stack is RFC3041 compliant today?
> (I believe OSX is but I don't know if it is enabled by default)
>
On by default in Windows, off by default in Linux
(net.ipv6.conf.all.use_tempaddr), OSX and BSD (net.inet6.ip6.use_tempaddr)
>
> On to IP address allocation again:
>
> So I was thinking of /64 as "one subnet" consisting of multiple nodes, when
> in practice a /64 is more like one node.
>
> This does open up some interesting possibilities like using multiple IP
> addresses within a /64 on a single machine. You could do things on the
> client side like separating applications into different "security zones"
> with individual IP addresses, or giving individual users on the system their
> own IP addresses so you can do user/zone specific firewall policies.
>
In my opinion /64 is very likely not a one-node configuration. Potentially
you can put every computer under the world into /64. I agree the
functional/operational separation is easy with /64. Earlier in IPv4 you
had to think about the subnet sizes: here you have /64 and you can put
as many computer as you like in that subnet!
Introduction of IPv6 support in your network allows rethinking the
subnetting, and address allocation to accomodate better your current need.
Best Regards,
Janos
|
|
|