IPv6 Firewall Rules

I setup a Hurricane Electric tunnel to get my house on IPv6 (Verizon fails to deliver!) and was given a /64 allocation. I then setup a Router Advertisement daemon to get every computer online. Yippee!

But, there’s a problem…now every computer in my house is exposed to the wrath of the Internet. While the Network Discovery (ND) addresses are “random”, you can still intercept a client’s address through a variety of means. So I setup some basic IPv6 firewall rules to protect my clients.

Here is my script:


# Default policy, this happens in the end
ip6tables -P FORWARD DROP

# Accept SSH
ip6tables -A FORWARD -p tcp --dport 22 -j ACCEPT

# Accept everything locally
ip6tables -A FORWARD -i eth0 -o he-ipv6 -j ACCEPT

# Accept all ICMPv6, kinda necessary 
ip6tables -A FORWARD -i he-ipv6 -o eth0 -p icmpv6 -j ACCEPT

# Accept all stateful connections, that we didn't initiate
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Here is an explanation:

  1. The default FORWARD policy is to drop all packets
  2. I accept all forwarded packets on port 22 (SSH) – This is because I frequently ssh into my personal machine while on the road.
  3. I accept all ICMPv6 packets: First because I want to be able to test pingings and such, but also because its required by IPv6
  4. I accept all packets for a connection that my clients initiated. This means I can arbitrarily connect out, but others cannot arbitrarily connect in.

I tested this out and it worked! There, now my personal home printer is not online 🙂

Giving credit where credit is due, borrowed a lot from Fabio Firmware.

Simple Economics of the IPv6 Transition

The vast majority of the Internet currently operates on Internet Protocol Version 4 (IPv4), a 32-bit addressing system which theoretically allows for 4,294,967,295 (2^128-1) unique IP addresses. Though this may seem like an inexhaustible supply of addresses, current figures estimate less than 10% of it remains. The remaining address space would be far less had it not been for the deployment of Network Address Translation (NAT), which extends IPv4’s life, but also breaks the End-to-End principle.

So…what happens when the address space completely runs out?

There is slow and gradual transitional to Internet Protocol Version 6 (IPv6), a 128-bit addressing system which theoretically allows for 2128-1 unique addresses. Wow, that’s a lot of address space. (FYI, much of the address space is wasted) But, that transitional period takes time and money. And if businesses demand an internet routable address before IPv6 has been implemented by its ISP, what happens?

When IPv4 becomes completely exhausted, there will be essentially two models of how the Regional Internet Registrys (RIRs) and Tier-1 ISPs could opt to distribute IPv4 addresses once they are “returned”.

In the first model, RIRs and Tier-1 ISPs could distribute address space based on a first-come first-serve basis. In this system, Tier-2 and 3 ISPs would have to wait in line to receive address space. This could take decades, essentially eliminating any business that immediately requires dedicated IP space.

In the second model, RIRs could distribute address space based on the price-system. That is, when a block becomes available, it would be auctioned off to the highest bidder.

In my opinion, the pricing distribution system is more efficient than the waiting-line system. This is because it ensures the most economically efficient utilization of address space. Only those entities that can produce the highest rate of return with the investment of their IPv4 address space be willing and able to purchase it. In short, this follows the basic economic laws of higher prices when demand increases but supply cannot increase.

As the price of IPv4 address space gradually increases for businesses, organizations and home consumers, they will gradually transition into the IPv6 internet. I predict mass utilization of transitional solutions, which are not long term, but function just as fine. Initial investments for native IPv6 implementation will be costly, but the marginal cost will reduce for each additional implementor.

Go IPv6!