|
Simplest method for IPv6 access for organisations?
![[ca]](/s/countries/ca.gif) Shadow Hawkins on Tuesday, 26 April 2011 01:59:30
For organisations that don't want to have to switch all their hardware to IPv6 in one shot, would the following scenario make sense:
- For public facing web servers add a ipv6/ipv4 proxy that links the existing IPv4 based servers with the IPv6 internet
- For the intranet install a ipv4/ipv6 proxy server that allows hosts to talk to the IPv6 internet
In each case I imagine a proxy server, IPv6 capable router and firewall being needed.
The idea is avoid being cut off from the IPv6 internet, but give the organisations time to monitor the increase in IPv6 demand while keeping costs low. As the IT department sees a significant increase in IPv6 traffic they can make a case for a budget to take the next step.
In the second scenario I can imagine Squid 3.1+ being used, but for the first scenario I am not sure. What would you suggest?
Any feedback would be appreciated.
Simplest method for IPv6 access for organisations?
![[us]](/s/countries/us.gif) Shadow Hawkins on Tuesday, 26 April 2011 15:29:21
You are running public-facing Web servers with kernels so old that they are not dual-stack?
Simplest method for IPv6 access for organisations?
The problem with your proposal is that you need to stuff something in the middle to enable it to speak IPv6. Either you need to configure all the clients to use a HTTP proxy server (and hope that those also support HTTPS) and on the other side you need to move the existing setups away from their current ip/port and stick the IPv6-enable version in the middle.
As most software is IPv6 enabled, and OSs also, IMHO you should just upgrade them properly.
For the client side, the proxy trick might work, but will require you to either inspect all port 80/443 traffic and/or push configuration to all the clients that they should use a proxy.
Better to enable IPv6 in the network by routing it and enabling IPv6 on clients that need it.
Simplest method for IPv6 access for organisations?
![[dk]](/s/countries/dk.gif) Shadow Hawkins on Tuesday, 03 May 2011 11:50:14
I may be overlooking some things, but the simple answer is "just do it".
If you do not have native ipv6, get a tunnel. It might not even terminate on the border router, it can be any machine inside, which becomes the ipv6 gateway.
Setup proper ipv6-firewalling; as there is no protection from NAT as in ipv4.
Most hardware need not be changed, either it is too dumb to know neither ipv4 or ipv6, just passes bits, or it is clever enough to understand ipv6.
Most os'es support ipv6.
Printers etc need not know ipv6, as they are rarely to be accessed from outside the local network, where I guess for many years a local ip-range like 10.x.x.x or 192.168.x.x is used in parrallel to ipv6
Simplest method for IPv6 access for organisations?
If you do not have native ipv6, get a tunnel. It might not even terminate on the border router, it can be any machine inside, which becomes the ipv6 gateway.
Indeed, this is also the prime reason various transition mechanisms exist: to help move to IPv6 even though there is no native IPv6 available. SixXS is just one piece of the puzzle there and there are other options still available.
As traffic is generally quite low still in IPv6 a tunnel is perfect for solving this problem quickly. Of course if you require some kind of SLA the best way is to start have inquiring with your suppliers (ISPs, hardware etc) several years ago already and otherwise, jump on them now! ;)
Simplest method for IPv6 access for organisations?
![[ch]](/s/countries/ch.gif) Shadow Hawkins on Wednesday, 08 June 2011 10:18:42
<Just sharing>
After some playing around I also decided to start "light" with squid.
I am running ubuntu 10.04 LTS with the aiccu package and compiled squid 3.2 from source because the squid3 package is old and did not work for me.
Since this machine is inside the LAN. I used ufw to secure the system
sudo ufw allow 41 # required for the tunnel
sudo ufw allow proto 22 # secure remote access
sudo ufw allow from 192.168.1.0/24 to any port 3128 #allow proxy in the LAN
sudo ufw deny from <sixx ipv6> to any port 3128
sudo ufw enable
Then checked http://ipv6.wcclan.net/portscan to check
Different clients browse now over squid, and all is running fine over the ipv6 tunnel.
|
on Monday, 02 May 2011 17:46:54
Posting is only allowed when you are