Are people really going to use public IPv6 addresses on their private networks? [duplicate]
Solution 1:
Is that how IPv6 is intended to work?
In short, yes. One of the primary reasons for increasing the address space so drastically with IPv6 is to get rid of band-aid technologies like NAT and make network routing simpler.
But don't confuse the concept of a public address and a publicly accessible host. There will still be "internal" servers that are not Internet accessible even though they have a public address. They'll be protected with firewalls just like they are with IPv4. But it will also be much easier to decide that today's internal-only server needs to open up a specific service to the internet tomorrow.
Are companies really going to set up all their internal machines with public addresses?
In my opinion, the smart ones will. But as you've probably noticed, it's going to take quite a while.
Solution 2:
We use public IPv6 addresses in our company network for all devices.
We use a stateful firewall on our gateway, that:
- allows all icmpv6
- allows new connections from internal network out
- allows established connections from public to internal
No public traffic (except ICMP and established connections) should get into our network.
So far we had no problems with this setup and it works perfectly.
Solution 3:
If there is no need for outside connectivity, then private networks can be used. That is the reason for defining private address space also in IPv6.
NAT is a hack that was invented to delay IPv4 address space exhaustion. NAT causes issues with applications, and to get the applications to work with NAT, more hacks are needed which conflict with the original design of IP.
So, the preferred way is to work like Yarik answered, use proper stateful firewall at the edge of the network.
Solution 4:
As stated, this is the way IP was designed to work, and it does work well. NAT introduces annoying problems at times. Some have described NAT's "hiding" of the internal IP as an advantage, but it can also be a disadvantage.
I worked in a place with a /16 and we used publicly routable IPv4 addresses on every device (including printers and mobile phones and electronic timeclocks). It worked just fine, and in addition it made tracking down misbehaving users and devices all that much easier. It also limited the impact of those users, so that if someone managed to start spreading malware or gets caught torrenting, it's less likely to affect (say) your mail servers' ability to communicate unhindered because of it being on a blacklist.