08-29-2013 11:12 PM - edited 03-01-2019 05:41 PM
Hi,
We have a customer and we need to existing IPv4 Network to IPv6. As Natting has been removed from IPv6 and IPSEC is a mandatory feature in IPv6.
I want to know, when my inside network will go outside world then It will carry the Exact inside / Local or Private Network Address. So Outsider user can easily hack or view my inside Network ip address and can access the Core Network.
So, what we can implement in IPv6, so my inside traffic natted with some other global or Public network, so outside user can not use my local ip addresses.
Kindly confirm.
08-29-2013 11:42 PM
First some clarification:
1) IPSec is not mandatory any more. That has been removed in the actual RFCs
2) depending on the devices you can use NAT also for IPv6
One nice thing of IPv6 is end-to-end reachability which makes the operation of the network much easier. (I can't count how many times customer configured their FTP-server wrong to make NAT work). So if you actually don't need NAT, that could be a reason to be happy about it (ok, unless you need to be PCI-compliant; or hat that requirement also changed?)
And yes, by default every one can see your internal IP-addresses. For security you should deploy a firewall solution, but that is not different then it is today. Ok, we all know that many people rely only on NAT, but that's not the best way to connect a network to the internet.
If you wan't that externals can't see the real IP of your inside systems, then you can use privacy-extentions which change the host-portion of the address. But of course your assigned prefix will be the same, but also that is no different then today where your NATed packets always have the public IPs that are assigned to your company.
Sent from Cisco Technical Support iPad App
08-30-2013 06:47 AM
I'm with him; end to end connectivity is so much better. However, there are also private, non-routeable addresses in IPv6 that you could use for machines that don't need access to the Internet.
08-30-2013 09:28 PM
Thanks for Info.
But Actually Customer having a Banking Network Setup which is required Highly secured Traffic over the Internet and ISP.
Currently he is using IPv4 with natting on Firewalls but Natting is not available in IPv6 then How we can Translate our inside Network Addresses in Outside / Global or Public Network, so Outsid user can not access my Network with Inside Networks Addreses. As I understand when the IPv6 packet flows over the network and Internet it will carry the same Inside local addresses which is not secure.
So how we can hide my local inside P / servers IP, Firewall IP and Core IP from Outsid user or how we can nat or Translate these Addresess on Firewall or internet Router.
I have tried to explain my query and I hope u can understand and share some more solution or Documents.
08-30-2013 09:29 PM
Thanks for Info.
But Actually Customer having a Banking Network Setup which is required Highly secured Traffic over the Internet and ISP.
Currently he is using IPv4 with natting on Firewalls but Natting is not available in IPv6 then How we can Translate our inside Network Addresses in Outside / Global or Public Network, so Outsid user can not access my Network with Inside Networks Addreses. As I understand when the IPv6 packet flows over the network and Internet it will carry the same Inside local addresses which is not secure.
So how we can hide my local inside P / servers IP, Firewall IP and Core IP from Outsid user or how we can nat or Translate these Addresess on Firewall or internet Router.
I have tried to explain my query and I hope u can understand and share some more solution or Documents.
08-30-2013 11:32 PM
when the IPv6 packet flows over the network and Internet it will carry the same Inside local addresses which is not secure
In fact it is not more secure, it only seems so. The security comes from strict filtering rules and possibly various deep packet inspection mechanisms that are also IPv6 aware.
But you can use NAT if you want. There are devices that can do NAT on IPv6. The Cisco ASA is one of them and probably there are some more on the market.
Some more reading for IPv6 and NAT/Security:
IPv6 NAT on the ASA:
Ripe: IPv6 Security - An Overview:
https://labs.ripe.net/Members/johannes_weber/ipv6-security-an-overview
Network Computing: 4 IPv6 Security Fallacies:
http://www.networkcomputing.com/ipv6/4-ipv6-security-fallacies/240159771
RFC 6296 - IPv6-to-IPv6 Network Prefix Translation:
http://tools.ietf.org/html/rfc6296
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide