alt Hacker NewsCorporate laptop won’t work (their version of windows seems to require an ipv4 adddess on an interface, not sure if that’s a windows thing or a them thing)
Doesn’t remove the need for nat - my wired IsP might be able to bgp with me, but my backup 5g won’t, and when I want to choose which to send my traffic through with PBR that means natting.
My router doesn’t support 64, so I have to use my isp’s which is speed constrained compared with native 4. Ok that’s on my setup. Haven’t tested my 5g provider and where 64 occurs, I’d hope in their network, but how do I configure my dns64.
Still need to provide v4 at the edge and thus 46 nat so I can reach internal v6 only servers from v4 only locations
Perhaps lost of that is because my router doesn’t do 64, but again that just shows that v4 is still essential. I haven’t found a single service that’s v6 only, so if I have to run a v4 network (even if only as far as a 64 natting device) why bother running two networks, double the opportunity for misconfiguration and thus security holes. Enabling dual v6 on my IoShit network would allow more escape routes for bad traffic, meaning another set of firewall rules to manage. Things like SLACC make it harder to work out what devices are on the network, many end user devices are user hostile now and keeping control of them on v4 alone is less work than in v4 and v6.
Replies
>their version of windows seems to require an ipv4 adddess on an interface
Could be DirectAccess. Microsoft's earlier built-in VPN solution before Always On VPN. DirectAccess works only with IPv4 inbound so you can't use IPv6 only stack. Under the hood it uses a combination of v4-v6 transition and translation protocols, but it still requires the Windows client machines to have IPv4 addresses.
If you can run PowerShell commands on the laptop and if "Get-DnsClientNrptPolicy" returns some DirectAccessDnsServers then it's DA laptop.
> Doesn’t remove the need for nat - my wired IsP might be able to bgp with me, but my backup 5g won’t, and when I want to choose which to send my traffic through with PBR that means natting.
Yes, it does. You just have each of your routers (wired and 5G) advertise the /64 prefix delegated by each of your ISPs. Your hosts will self-assign a v6 address from each prefix.
To control which link the traffic uses, you just assign router priority in the router advertisement (these are all standard settings in radvd.conf).
> Things like SLACC make it harder to work out what devices are on the network
Again, not true. If you really don’t trust your devices, then DHCP isn’t going to save you. Malicious hosts absolutely can self assign an unused v4 address, and you’ll be none the wiser if you just look at your DHCP leases.