[daper]

I've given a try to IPv6 in a company with few tens on servers in a 2 DCs, an office + additional location, 3 ISPs in total. For me the real challenge is not just different way to write an IP address or doing NAT. The challenge is that IPv6 changes a lot of unexpected things:

- Our ISPs support IPv6 but routing quality is way worse than IPv4 including occasional inability to connect to some networks or greater latency than IPv4. I had to create tickets with such issues understood that most probably they just don't have IPv6 BGP sessions to all their upstream providers they connect.

- How the VPN (an employee / road warrior setup) should be configured since from the routing perspective you don't need a VPN to connect from your home to the office? Assuming both have proper IPv6 connection and all devices in the office and your laptop have a globally addressable IP address. Employee can have IPv4 or dual stack at his home, where is dual stack in the office. Very confusing. Looks like Fortigate also don't have an idea and decided to not support such case.

- You have to be careful with site-to-site VPN since even your internal services like database are now globally addressable. You really need proper firewall rules / routing policies to not leak unencrypted packets over internet.

- SLAAC is cool but doesn't provide DNS configuration. (there is RFC8106 but is it supported by all OSes?). You need DHCPv6 for that. You have to choose: use only DHCPv6 or SLAAC + DHCPv6 or just relay on the vast that DNS will be proviedd by DHCP IPv4 in a dual stack setup.

- The way of providing high availability gateway address in a network is different. You need router advertisement where you can provide priorities. That actually is much better than any other VIP mechanisms (no issue with MAC table updates, etc.) but you need to know that.

- OSPF works a bit differently. For example: there is no authentication in router communication in OSPF itself, you are supposed to use IPSec.

The list is longer unfortunately...

[joshspankit]

> You have to be careful with site-to-site VPN since even your internal services like database are now globally addressable.

I’d bet that this will be the source of some gnarly leaks in future. If it does my bet would be it’s going to follow the “API keys on GH” trajectory.

[apearson]

> SLAAC is cool but doesn't provide DNS configuration. (there is RFC8106 but is it supported by all OSes?)

For the most part, yes it's supported by major OSes. (ND RDNSS) https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_...

[artdigital]

> You have to be careful with site-to-site VPN since even your internal services like database are now globally addressable. You really need proper firewall rules / routing policies to not leak unencrypted packets over internet.

Uhmm I might be wrong here, but can’t you just not assign global IPv6s then? Keep your local network on ULAs (https://en.wikipedia.org/wiki/Unique_local_address) for network-internal routing

[daper]

Sure, you can. But on advantage of IPv6 is you addresses are globally unique. If you ever need to connect two networks that were created independently (like different companies), unique addresses, even local are very helpful.

[snuxoll]

Sure, but ULA's within your network are still an extremely useful tool to deal with annoying problems like renumbering if you don't have PI address space (and a majority of businesses won't). It's not an ideal solution, but unless you're a large enough shop to have multi-homed BGP sessions the IANA doesn't give a shit about how much headache changing ISPs or backup connections cause and getting a new allocation causes; so ULAs fill that gap to give a non-changing, probably-unique (if you follow the proper process to generate your prefix) address space.

[bert64]

There's no reason you wouldn't use a VPN in exactly the same way. Just because devices have routable addresses doesn't mean they will allow connections from arbitrary sources. You can configure them to only allow connections from your IPv6 VPN pool. On the other hand using globally unique IPv6 addresses means your VPN won't conflict with the source network where users are connecting from.

SLAAC can provide DNS configuration, see RFC6106 for instance.

You can do HA in the same way with VRRP or whatever too, as you point out the built in mechanisms are generally better but you don't necessarily have to use them.

The chance of traffic leaking still exists, and does happen a lot with legacy IP too. The difference is that with v6 the traffic will be routed back to you, so you will be able to see it on your border firewalls. With legacy IP, the traffic will be dropped by the ISP or absorbed by the local network so you don't know it's happening and consequently you probably won't try to do anything about it.