|
IPv6 instead of VPN?
![[de]](/s/countries/de.gif) Shadow Hawkins on Friday, 14 January 2011 11:28:03
Hello everybody,
I am rather new to SixXs but I am very excited about it and wanted to ask if someone has thought about using IPv6 to replace other VPN solutions. I was thinking about something like this:
In my company we run most of the services on IIS or Apache servers (plus a Windows 2008 R2 based Active Directory Domain) which would become accessible from the IPv6 internet as soon as I install a SixXS tunnel on our router. If I added a public available DNS server which has the IPv6 addresses of the machines, they should be reachable easily as long as you have IPv6 access.
Of course that is not what I want to give everyone access to my Intranet so I would first disallow incoming connections from outside.
But I could do two things:
a) Give our employees SixXS tunnels (is that allowed btw.?) and grant access from our subnet by default
b) Create a simple web interface for our router where you can login with your domain login. If you are logged in, it will open the firewall for your IPv6 address for some period of time or as long as you are logged in.
Has anybody ever done this? Is it possible to run an Active Directory Domain IPv6 only?
Best regards,
David
IPv6 instead of VPN?
![[nl]](/s/countries/nl.gif) Shadow Hawkins on Friday, 14 January 2011 19:38:16
Not sure what you are trying to achieve.
If you open up a Sixxs tunnel, and have a proper firewall, you could provide your clients with IPv6 connectivity, including VPN clients. I have this working on my network. VPN users connect to the RRAS server on the domain controller, and are given IPv6 addresses. The setup is incredibly easy. Assuming you have prefix 2001:838:XXXX::/48, you could assign your main network with a 2001:838:XXXX:1::/64, then you would have to assign RRAS the prefix 2001:838:XXXX:2::/64 (or any other, as long as it's different from the prefix used on your intranet). Enabling IPv6 forwarding + route advertisements on RRAS and possibly adding a route on your router, so that the router knows that 2001:838:XXXX:2::/64 can be reached via the RRAS server.
As to running AD on IPv6 only, haven't tried that yet (I still have IPv4 stack loaded on clients + DC. I do see IPv6 traffic for kerberos and ldap working correctly though, so I guess it would certainly be possible.
IPv6 instead of VPN?
Shadow Hawkins on Monday, 17 January 2011 10:13:12
No, I thought not about getting IPv6 via a VPN connection but about using it instead of a VPN. I just do not like the offered VPN solutions....
IPv6 instead of VPN?
![[dk]](/s/countries/dk.gif) Shadow Hawkins on Monday, 17 January 2011 13:45:49
Well, just as you could setup your firewall etc to allow routing between two ipv4-networks, you can allow access between two ipv6-networks.
Whether the remote clients connect directly to central system, or gets a separate (sixxt-)tunnel with their own network range.
If it is "secure" enough, i.e. traffic can't be intercepted, snooped or faked, I don't want to go into. (i.e. don't know)
Leif
IPv6 instead of VPN?
Shadow Hawkins on Monday, 17 January 2011 14:25:25
The difference is that you can get static IPv6 addresses for your clients and set up the firewall rules correspondingly. Ah and you can get a IPv6 subnet for free while this is very cost-intensive for IPv4...
IPv6 instead of VPN?
Shadow Hawkins on Monday, 17 January 2011 16:04:54
Now I understand your intentions a little better. I would strongly advise against this. You seem to be suggesting to open up ldap and kerberos to those fixed IP remote workers, which effectively open up your DC to the outside world, with the only authentication going on (prior to acccess) is a fixed IP address. Use the VPN stuff that is included, it is rock solid and has certificate based authentication, which is far better than relying on a fixed IP address to let traffic through.
IPv6 instead of VPN?
Shadow Hawkins on Tuesday, 18 January 2011 00:22:08
Well, I think, as the user use Sixxs.net for IPv6 access or authentificate via a web interface before it is very unlikely that someone could access the network without permission. He could only spoof the address which is, imho, nearly impossible with Sixxs.net (unless one of Sixxs.net spoofs it or someone steals the credentials).
In other networks it 'might' be better possible but I think it is still unlikely there (haven't read anything about IPv6 spoofing yet).
However, even if you have access to our network (where I do not want to set bariers too high) you still do not have access to our services. Our users will mostly use Apache and IIS services which all have SSL setup and most of them have Non-SSL access forbidden.
The only thing that I might need to forbid is access to the Samba server as the file transfer is not encrypted, afair.
Btw., isn't LDAP and kerberos encrypted, too?
PS: We already have a VPN set up (using Win2008 R2), I do not like it very much and users complain that it is not always 100% stable.
IPv6 instead of VPN?
![[nz]](/s/countries/nz.gif) Carmen Sandiego on Tuesday, 18 January 2011 09:26:52
In principle, VPN technology is 100% stable: if you have a problem, then either you have tickled a bug in Microsoft's implementation (I don't know - I've never used it), or have some configuration/hardware/etc problem.
I'd recommend looking at OpenVPN - if you run it as a service on your laptops/etc, it can even be "always on"... We're using it (Linux server with Microsoft and Linux clients) and it only goes down when the user's link goes down...
You really don't want to drop VPN technology for IPv6 - they are not equivalent...
IPv6 instead of VPN?
As you have Windows 2008, you might want to look at Microsoft Direct Access which is a "VPN" of sorts, as it uses IPSEC IPv6 to control access to resources.
IPv6 instead of VPN?
Shadow Hawkins on Tuesday, 18 January 2011 19:47:38
Yep that's the "killer" feature for Server 2008R2 as it is a VPN like feature, but then without the need to initiate the actual vpn connection (ie dial).
IPv6 required to make it work properly.
IPv6 instead of VPN?
Shadow Hawkins on Wednesday, 19 January 2011 12:05:55
This sounds interesting but it does not fulfill my requirements:
a) I want to get away from Windows servers (they suck)
b) People need access from their Windows XP machines and iPads
Also why would I need to encrypt data which is already encrypted?
Btw., in between I implemented IPv6 in my company and used it for some backup transfer. It works perfectly and as expected.
IPv6 instead of VPN?
My first answer is that a person who just claims that something sucks does that him/herself...
Secondly, Direct Access is the combination of IPSEC and Active Directory for key management, you can replicate that on any other platform too, but you'll have to do it yourself (Although OpenSWAN comes to mind, especially with opportunistic encryption which might be able to do it for you with some changes).
b) People need access from their Windows XP machines and iPads
As you can't install much custom stuff on iPads, forget about that, unless you are just going to do HTTPS. For XP, you might just want to upgrade that OS from 2001 which is now 10 years ago. Do also note that the XP IPv6 stack has quite a number of odd flaws which is yet another good reason to update.
Also why would I need to encrypt data which is already encrypted?
When you enable ESP yes, if you just use AH then no.
IPv6 instead of VPN?
![[no]](/s/countries/no.gif) Shadow Hawkins on Wednesday, 26 January 2011 11:40:08
Migrating to ipv6 and using a VPN are two different issues.
Having ipv6 will solve a number of issues with VPNs, however. Having official addresses everywhere, and lots of them tend to make trivial stuff a lot easier.
Now we are back to 1992, able to write good corporate address plans again.
Ipv6 also solves the MTU issues that plague VPNs. If you run something that relies on realtime performance over lossy networks you will see that classic vpns degrade about as gracefully as X.25 (i.e. not gracefully at all). At the link layer they use the same retransmit algorithm, Tanenbaum's protocol 4.
There are lots of tools to build VPNs. OpenVPN and vtun are the ones I would look into. With vtun you can get per-packet keying; which helps with the realtime stuff.
The Linux access point WRT54 and siblings (asus has a good one too) running DD-WRT images can be a great help for such VPNS, as they can encapsulate the scary stuff inside a cheap box.
-- mrr
|
![[ch]](/s/countries/ch.gif)
on Tuesday, 18 January 2011 17:20:10
Posting is only allowed when you are