top | item 24543451

(no title)

You're supposed to use DHCPv6 or Neighbor Discovery -- like everything else in IPv6-land, it's significantly more complicated than it is over IPv4.

I don't run the whole network IPv6 -- for hosts I care about having an IPv6 egress for, I use a Wireguard tunnel in IPv6 private address space to a bastion host. If I want to expose a port, I forward it from the other side. It's a sad state of affairs :-(

discuss

gertrunde|5 years ago

I'm not sure it's that much more complicated as such, beyond being different/unfamiliar.

Just setting up SLAAC is very straightforward, probably (ignoring any unfamiliarity issues) more simple than DHCP?

Pulling addresses from your service provider via prefix delegation can be a bit funny, and could do with being a lot more polished. Instructions/community support in particular can be problematic as ISPs tend to use different prefix lengths, rather than just standardising on /56. And also less relevant if you have a static allocation, which is potentially more likely with IPv6 than IPv4.

And DNS becomes more important, as does firewalling, no more relying on the somewhat dubious NAT safety net.

Havoc|5 years ago

Is your wireguard ipv6 setup a security consideration or working around a technical issue with your ISP?

My ISP seems to have ipv6 out of the box, but a little worried about security given it's NAT-less nature

how_gauche|5 years ago

It's mainly so I can "road warrior" to my internal resources from my laptop transparently. IPv6 is a good choice for this since it won't conflict with any NAT address space you're likely to be on.