Cisco Blogs


Cisco Blog > Enterprise Networks

IPv6 and the Security Implications You Don’t Want to Miss

October 18, 2012 at 5:00 am PST

In a previous blog, I discussed questions you should ask before peering with your SP and possible configuration options.  Since the Internet edge is where this peering occurs, it should also be the first point where you start to apply your organization’s security policies.  Security is a critical part of IPv6 integration because IPv6 opens up another transport path into your network.

Read More »

Tags: , , , ,

Why Would Anyone Need an IPv6-to-IPv6 Network Prefix Translator?

The upcoming World IPv6 launch is stimulating a lot of conversation around IPv6 deployment and common deployment scenarios. People regularly ask “where’s my NAT,” which is something we have tried to address in architectural discussions in RFC 2993, RFC 4864, and RFC 6269. Margaret Wasserman and I have worried specifically about the implications of the multiplication of provider-independent addresses at the edge and the issues of multihoming, and described a model for IPv6 network prefix translation that we think addresses most of the issues and yet facilitates scalable multihoming without provider-independent addressing and the bloating of the route table it implies. Per-residential-customer multihoming is currently in use for NTT BFLETS in Japan.

My colleague Andrew Yourtchenko, whom many of you may know from IPv6 events, has a very different opinion about network address translation. If anything, he would like to get rid of it. Andrew has contributed to some 14 RFCs on the topic of transition and has much of value to say.

While I agree with Andrew on a number of issues, I don’t agree about  the model in which one deploys a prefix allocated by each of one’s upstreams providers on each of the LANs in a network.  I think that while we have reduced costs for ISPs in the smaller route table, we have significantly expanded the complexity faced by the edge network without giving them a benefit that they readily recognize. I agree with the end-to-end model and the ability to deploy new applications anywhere in the network, but I think that stateless prefix translation can meet those issues and help in managing the size of the route table. Andrew and I recently weighed the pros and cons of our different opinions and included our thoughts in this blog. What is your opinion on this topic? Read More »

Tags: , , , ,