Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 25 replies
  • Subscribers 29 subscribers
  • Views 5445 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is IPv6 actually desirable? (rfcat_vk)

Wayne Folta

I've tried to follow rfcat_vk's excellent documentation of the current state of IPv6 in SFOS. And I've been feeling like I'm missing out that my ISP doesn't offer IPv6 (they've said "coming soon" for a year now, maybe more). But the more I look into it, the less benefit I see. I almost don't want it to drop at this point.

It avoids NAT, but NAT doesn't really slow things down and the only IPv4 workaround I'm familiar with that I need is SIP ALG (which in SOFOS appears to work well). With most all critical communications using TLS, it doesn't seem like IPv6 actually adds much for security. In fact, it seems like a security wash in some ways with ICMP becoming so critical to IPv6 working.

It provides a little tracking advantage with the ability to have different, changing IP addresses for each machine that communicates with the outside world. Which is cool.

But at a minimum, I'd have to run the XGS in dual-stack mode indefinitely. For example, I have a VPN and I may need to reach it from an area or an ISP that doesn't provide IPv6, so I'll need IPv4 for that pretty much until IPv4 is turned off in the Western Hemisphere.

My ISP will benefit from IPv6: smaller routing tables, etc. But it really doesn't feel like I have any real draw to get IPv6. An advantage here and there, a new adventure, but pretty much completely balanced out by disadvantages.

What am I not seeing? (Besides my ISP getting IPv6 and setting a deadline after which it won't support IPv4.)

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    I hope that one of the things they will implement in NPT6 (Network Prefix Translation) which would give us flexibility in terms of ipv6 failover, and if done right it could make PD changes trivial and instant. I hadn't heard of it before.

    THE WHY... Here's some information I've gathered on IPV6 and why things work as they do on the Sophos Firewall.

    I've been doing a bit of digging, and Sophos Firewall uses busybox under the hood for a lot of its commands. This is a smart choice, because it's compact and fast. The DHCP client in busy box evidently has a command line argument for IPV6 PD, but it doesn't work. (Or at least it's been reported as not working in the bus box forums at one point.)

    The most likely alternative server would be dnsmasq, which is small and written in C/C++ and can do both DNS and DHCP (and DHCPv6 and RAs). Not sure about DHCP clients. No alternative seems to do NPT6 though :-(

    Linux has two separate executables for firewall rules, iptables and ip6tables, which I probably why Sophos has two different tabs for IPv4 and IPv6 Firewall rules. Sophos could perhaps stitch the two together in the GUI, but this might not be a trivial task and could potentially lead to strange bugs -- especially for rules that we want to apply to both environments.

    If you want your mind blown, in Advanced Shell you can type "iptables -L" and you'll see a nearly incomprehensible listing of the raw firewall rules. WAY more complicated than the various "iptables is easy" blog postings you'll find online.

    So, to the extent that Sophos continues to keep relying on Linux and open source, we may or may not see some improvements to IPV6 any time soon.

Reply
  • 0

    I hope that one of the things they will implement in NPT6 (Network Prefix Translation) which would give us flexibility in terms of ipv6 failover, and if done right it could make PD changes trivial and instant. I hadn't heard of it before.

    THE WHY... Here's some information I've gathered on IPV6 and why things work as they do on the Sophos Firewall.

    I've been doing a bit of digging, and Sophos Firewall uses busybox under the hood for a lot of its commands. This is a smart choice, because it's compact and fast. The DHCP client in busy box evidently has a command line argument for IPV6 PD, but it doesn't work. (Or at least it's been reported as not working in the bus box forums at one point.)

    The most likely alternative server would be dnsmasq, which is small and written in C/C++ and can do both DNS and DHCP (and DHCPv6 and RAs). Not sure about DHCP clients. No alternative seems to do NPT6 though :-(

    Linux has two separate executables for firewall rules, iptables and ip6tables, which I probably why Sophos has two different tabs for IPv4 and IPv6 Firewall rules. Sophos could perhaps stitch the two together in the GUI, but this might not be a trivial task and could potentially lead to strange bugs -- especially for rules that we want to apply to both environments.

    If you want your mind blown, in Advanced Shell you can type "iptables -L" and you'll see a nearly incomprehensible listing of the raw firewall rules. WAY more complicated than the various "iptables is easy" blog postings you'll find online.

    So, to the extent that Sophos continues to keep relying on Linux and open source, we may or may not see some improvements to IPV6 any time soon.

Children
No Data
Unfiltered HTML