Understanding IPv6

PeterUK · February 5

Can't say I'm looking forward to the day of IPv6 but here is something I don't get about IPv6 depending on how it deployed.

So Ipv4 is somewhat simple due to having it been to only way we have a WAN IP and LAN subnets which the IP's of can't go out on the internet and so NAT.

But with IPv6 we now can have LAN subnets with there IP's can go out on the internet which we have to configure? But what if the deployment of IPv6 is random or if you move your IPv6 subnet you was given needs to change? Then your LAN subnets are all wrong? So my take on this is LAN subnets and address objects need to auto adjust based on what the WAN interface gets to then adjust all LAN subnets.

The other thing will be inbound traffic mapping because I don't seem to see how a device when getting a IPv6 can be static which would not work so it be random? as to the control of traffic for inbound to a server so I think to best way to solve that is MAC control for a policy rule this way the MAC can be looked up to its IPv6 to allow the traffic.

Zyxel_Melen · February 6

Hi @PeterUK

Not all ISP use PPPoE to provide IPv6. I think you should ensure which method is your ISP use first.

If the ISP use PPPoE to provide IPv6, they will also provide the DHCPv6 option "PD(Perfix Delegation)" for you. You can use it as the LAN DHCPv6 Advertised perfix. This will also change once the WAN IPv6 change (reference relationship.)

Handbook P662.

https://download.zyxel.com/USG_FLEX_200/handbook/USG%20FLEX%20200_ZLD5.31_Handbook.pdf

If ISP provide static IPv6 range, you can use the DUID to set a static DHCPv6 IP binding. The DUID is value that transform from the device's MAC address.

Additionally, firewall is a layer 3(IP layer) device. It doesn't have a MAC table, and because of it, the security policy can't restrict the traffic by MAC.

Understanding IPv6

All Replies

Categories

Security Help Center