Is there any point in switching to Ipv6?

[computerbuildin]

As for right now thats what im wondering, yes I do know that one of the big reasons for Ipv6 is because there is a shortage for Ipv4 addresses. But what im wondering is if it makes anything better or faster than my current Ipv4.

 

[cmetz]

No.

Not better, plus slower.

Only actual problem it actually solves is to have really big addresses.

 

[m1ldslide1]

Don't forget that an enterprise migration to IPv6 provides one of the most critical benefits in networking: resume filler.

 

[theevilsharpie]

IPv6 is better than IPv4 in a number of areas, but those advantages aren't going to matter if it's not widely deployed.

IPv6, at least in North America, is still in a bit of an experimental phase. The protocol itself is stable and has been for years, but carriers and other organizations are still testing it in slow, limited rollouts. Major services like Google, Facebook, Bing, and Wikipedia have publicly-accessible IPv6 services, but you're not going to see smaller organizations come on board until IPv6 is more broadly adopted.

Anyway, long story short, unless you have some type of professional interest in IPv6, it's not really worthwhile to implement at this time.

 

[theevilsharpie]

No.

Not better, plus slower.

Only actual problem it actually solves is to have really big addresses.

lulz

 

[Railgun]

Internally to an organization, there's virutally no chance you'll run out of private addressing. Unless you're building a new network from scratch, there's no need to implement it.

There's a chance that your ISP (for consumer ISPs that is) have already migrated. I know Virgin Media is also advertising my IP as v6.

From a business perspective, you can still acquire IPv4 addresses, though they're soon to be at the point of all but stopping that. Once the last /8 is available (from each respcective registry), they'll push for IPv6 assignments.

 

[theevilsharpie]

Internally to an organization, there's virutally no chance you'll run out of private addressing. Unless you're building a new network from scratch, there's no need to implement it.

Private networks are actually an area where IPv6 has a huge advantage over IPv4 due the larger address range. While you're right that an organization probably won't run out of private addresses unless it's a huge corporation, there's a strong possibility that they'll run into an address range overlap at some point. Resolving that overlap requires re-addressing one of the networks, or setting up complex NAT rules. With IPv6, there's no chance for such an overlap to occur.

 

[Railgun]

The only way you really run into that kind of scenario is the result of a merger. Otherwise, I can`t see how a single company can use 16 million hosts. And even then, those mergers could technically have the same issue, albeit a vastly reduced chance.

Poor network design could only cause that.

 

[theevilsharpie]

The only way you really run into that kind of scenario is the result of a merger. Otherwise, I can`t see how a single company can use 16 million hosts. And even then, those mergers could technically have the same issue, albeit a vastly reduced chance.

Poor network design could only cause that.

Address overlaps can (indeed, probably will) result from a merger, but they can also be a problem with VPNs between companies or workers signing in remotely. And it has nothing to do with poor network design; there's simply not enough private addresses. Overlap prevention works the same way in IPv4 and IPv6: use a public address range which is guaranteed to be unique.

With IPv6, that's easy: your ISP will assign you one as part of the service.

With IPv4, to obtain the number of IP addresses needed to address an internal network, you'll need to lease a range from a carrier ($$$$$$) or purchase a range from a registrar ($$$$, BGP-capable networking equipment and ISP needed). Because of the cost, most organizations will just deal with the headache of overlap.

 

[Nothinman]

The only way you really run into that kind of scenario is the result of a merger. Otherwise, I can`t see how a single company can use 16 million hosts. And even then, those mergers could technically have the same issue, albeit a vastly reduced chance.

Poor network design could only cause that.

Or being a contractor or home user that needs a VPN back to the company. If my home internal range is 192.168.1.0/24 and that's the same range used for the server VLAN I won't be able to route to it via the VPN until I change my home range which isn't within the scope of most user's abilities.

 

[Railgun]

Any good network design is not going to allow a home user's own range in their network. That's just asinine.

As for the rest, there's a long response. It's a good conversation and I want to reply but will do it a little later.

 

[Nothinman]

Any good network design is not going to allow a home user's own range in their network. That's just asinine.

As for the rest, there's a long response. It's a good conversation and I want to reply but will do it a little later.

It doesn't allow their range onto the work network, but if you use 192.168.1.0/24 internally at work and so do they at home they won't be able to get to that range because their PC knows it's local and won't send the traffic over the tunnel.

 

[Railgun]

I misread what you were trying to say.

Yeah. You don't allow split tunnelling. It's also a security advantage that way.

 

[mammador]

For now, no. Many applications still use IPv4.

But being proactive is required, at least in these areas:

- Determining strategies for implementation (dual stack, tunnelling, etc.)
- Developing addressing schemes (for all current and future nodes)
- Determining if some nodes need replacement (IPv6 requires IPv6 compliant hosts)
-Contacting the local Internet Registries concerning IPv6 addressing space/blocks
- Identifying if NAT/unique local addresssing will be needed (to be honest, this is a highly moot/contentious point in networking circles at present)

IMO, any good IT function will be doing the above, if not to lessen costs later down the road. I would also predict that in 5-10 years, IPv4 will be phased out, and all TCP/IP nodes will have IPv6 compatibility by that time.

 

[mammador]

Private networks are actually an area where IPv6 has a huge advantage over IPv4 due the larger address range. While you're right that an organization probably won't run out of private addresses unless it's a huge corporation, there's a strong possibility that they'll run into an address range overlap at some point. Resolving that overlap requires re-addressing one of the networks, or setting up complex NAT rules. With IPv6, there's no chance for such an overlap to occur.

Even then, private addressing may not exist in IPv6.

A firewall is all that is needed to protect an internal network.

 

[Nothinman]

I misread what you were trying to say.

Yeah. You don't allow split tunnelling. It's also a security advantage that way.

It's worth practically zero additional security, even though it's often touted as a best practice. All it does is make people's jobs harder to do because we have to disconnect/reconnect to the VPN to get shit done. Once I'm connected to the VPN the access is there for whatever tools, infection, etc to get to your network. I've never had anyone be able to give a concrete example of what it would actually stop besides productivity.

 

[drebo]

It's worth practically zero additional security, even though it's often touted as a best practice. All it does is make people's jobs harder to do because we have to disconnect/reconnect to the VPN to get shit done. Once I'm connected to the VPN the access is there for whatever tools, infection, etc to get to your network. I've never had anyone be able to give a concrete example of what it would actually stop besides productivity.

Well, denying split tunneling is done based on the assumption that the perimeter security at the enterprise is better than the perimeter security at the remote user's home/hotel/etc.

So, if that user has a trojan/backdoor/whatever, it would be far less likely to get through a properly provisioned UTM device at the Enterprise's location, than it would be to get through a SOHO router at an employee's home...especially if that trojan/backdoor/whatever calls home.

Additionally, it would prevent that user from being able to accidentally bridge that VPN connection out to the rest of the network he's connected to.

There are valid reasons. However, most small/medium businesses have crappy security on their networks anyway, so it's pretty irrelevant.

Personally, I prefer things like Terminal Services Gateway or even RemoteApp for making services/applications available for remote use. Or, just provide a virtual remote desktop with PCoIP and VMWare View.

 

[Nothinman]

Well, denying split tunneling is done based on the assumption that the perimeter security at the enterprise is better than the perimeter security at the remote user's home/hotel/etc.

So, if that user has a trojan/backdoor/whatever, it would be far less likely to get through a properly provisioned UTM device at the Enterprise's location, than it would be to get through a SOHO router at an employee's home...especially if that trojan/backdoor/whatever calls home.

Additionally, it would prevent that user from being able to accidentally bridge that VPN connection out to the rest of the network he's connected to.

There are valid reasons. However, most small/medium businesses have crappy security on their networks anyway, so it's pretty irrelevant.

One would hope that you have a UTM device on or near your VPN endpoint if you have one on your Internet connection.

And how would one accidentally bridge the connections? Bridging connections in Windows requires a decent amount of effort, it's not a button you can click on without realizing it.

 

[theevilsharpie]

Even then, private addressing may not exist in IPv6.

Private addresses do exist in IPv6, but since there's no NAT (yet), they're only practical for truly private networks.

 

[theevilsharpie]

Well, denying split tunneling is done based on the assumption that the perimeter security at the enterprise is better than the perimeter security at the remote user's home/hotel/etc.

So, if that user has a trojan/backdoor/whatever, it would be far less likely to get through a properly provisioned UTM device at the Enterprise's location, than it would be to get through a SOHO router at an employee's home...especially if that trojan/backdoor/whatever calls home.

The problem with banning split-tunneling is two-fold
1. If your block/filter outgoing Internet connections, as Nothinman mentioned, this can impact productivity
2. If you don't block/filter outgoing Internet connections, consumer connections have enough bandwidth to saturate the company's Internet connection unless they have oodles of bandwidth

Believing that potential malware will disable itself if it can't connect to the Internet is foolish. Remote hosts should be considered untrusted and handled accordingly.

 

[drebo]

The problem with banning split-tunneling is two-fold
1. If your block/filter outgoing Internet connections, as Nothinman mentioned, this can impact productivity
2. If you don't block/filter outgoing Internet connections, consumer connections have enough bandwidth to saturate the company's Internet connection unless they have oodles of bandwidth

Believing that potential malware will disable itself if it can't connect to the Internet is foolish. Remote hosts should be considered untrusted and handled accordingly.

This is why I hate having this discussion with people who don't know what they're talking about.

Seriously, did I ever say anything about the malware not being able to connect to the Internet? Wow. Not sure where you got that.

Malware will not be able to hijack a computer if it cannot be reached. A trojan will not be able to report keypresses or screen captures or allow a PC to be part of a botnet if that traffic is run through a UTM appliance that is capable of analyzing and blocking that traffic. Most homes and hotels and coffee shops don't have that. A properly configured organization does.

Arguing against the added security of not allowing split tunneling shows your ignorance. I'm sure you hate it because that's what your work does. But, frankly, it's the right way to handle a dial-in VPN.

You're one of those people who believes that NAT is a form of security, aren't you?

 

[drebo]

One would hope that you have a UTM device on or near your VPN endpoint if you have one on your Internet connection.

And how would one accidentally bridge the connections? Bridging connections in Windows requires a decent amount of effort, it's not a button you can click on without realizing it.

Herp derp, that's my point.

The enterprise has a UTM appliance. The home user does not.

If your VPN concentrator is not located on your perimeter (it happens), your UTM appliance doesn't see the traffic, as it's encrypted. Yes, your VPN concentrator should be on the perimeter, but unless you've denied split tunneling, it's not going to stop anything malicious.

There is no good reason TO enable split tunneling, unless you trust every device that will be connecting, every network from which it will be connecting, and every user who will be connecting to it.

Also, bridging in Windows 7 requires one right click and 2-3 left clicks. It's not hard, and plenty of people do it. Hell, there's probably 3-4 threads in the last 100 in this forum right now that deal with bridging connections in one way or another.

 

[theevilsharpie]

Malware will not be able to hijack a computer if it cannot be reached. A trojan will not be able to report keypresses or screen captures or allow a PC to be part of a botnet if that traffic is run through a UTM appliance that is capable of analyzing and blocking that traffic. Most homes and hotels and coffee shops don't have that. A properly configured organization does.

There's no guarantee that a UTM will be able to block a particular botnet. Botnet data is encrypted and usually encapsulated inside a protocol that is commonly allowed out (e.g, HTTPS), so traditional packet filtering isn't going to be effective. UTMs can block known botnets explicitly through botnet blacklists, but that will obviously miss unknown botnets. Whitelists can stop botnets, but nobody uses them because the maintenance makes them impractical. That just leaves SSL inspection (if the botnet uses HTTPS) and IPS, both of which are computationally intensive.

As for your trojan comment, if you seriously think a modern trojan needs an Internet connection to capture keystrokes or other information, I don't know what to tell you.

You're one of those people who believes that NAT is a form of security, aren't you?

I'm one of those people that understand that the security landscape is constantly changing. I understand that hardening techniques (such as no split-tunnels) have trade-offs, and those trade-offs need to be weighed against the security benefit that the hardening technique provides. I also understand that as security threats evolve, past hardening techniques tend to lose their effectiveness, which should prompt a re-evaluation of whether it makes sense to keep using the technique (along with the trade-offs).

But go ahead and keep believing that your UTM will solve all your security ills.

 

[theevilsharpie]

There is no good reason TO enable split tunneling...

Reposted, just in case you missed it the first time around:

The problem with banning split-tunneling is two-fold:
1. If your block/filter outgoing Internet connections, as Nothinman mentioned, this can impact productivity
2. If you don't block/filter outgoing Internet connections, consumer connections have enough bandwidth to saturate the company's Internet connection unless they have oodles of bandwidth

 

[Nothinman]

Herp derp, that's my point.

The enterprise has a UTM appliance. The home user does not.

If your VPN concentrator is not located on your perimeter (it happens), your UTM appliance doesn't see the traffic, as it's encrypted. Yes, your VPN concentrator should be on the perimeter, but unless you've denied split tunneling, it's not going to stop anything malicious.

If the UTM is in-line with the VPN traffic then, in theory, it will stop anything malicious coming out of the tunnel whether split tunneling is enabled or not. Just because my default gateway is local doesn't mean the malware won't attempt to go across the tunnel, which is what is trying to be stopped.

If you want true secure remote access just make your users use RDS or Citrix and don't let them connect their PCs to your network in anyway, that's the only way you're truly secure from their home PC.

There is no good reason TO enable split tunneling, unless you trust every device that will be connecting, every network from which it will be connecting, and every user who will be connecting to it.

There are lots of good productivity and business reasons for enabling split tunneling. Which is the tradeoff made with any security practice. If you can justify the time loss incurred to the business leaders, more power to you. But in reality any Windows machine is vulnerable and all of the anti-malware software out there is crap and will likely miss the latest malware your users will find.

Also, bridging in Windows 7 requires one right click and 2-3 left clicks. It's not hard, and plenty of people do it. Hell, there's probably 3-4 threads in the last 100 in this forum right now that deal with bridging connections in one way or another.

I didn't say it was hard, I said it was hard to do accidentally.