I have the technical ability to set up a well structured VPC in AWS with private/public subnets, but I wouldn't know where to start if asked to set up an ipv6-only network.
Is the general model of public/private subnet still valid? Or are you saying in a ipv6-only world, there's no need for separate subnets?
There's something about a server not being assigned an IP address at all that makes me sleep easy at night (in ipv4 world, you know that server is truly unreachable via public internet)
>Is the general model of public/private subnet still valid? Or are you saying in a ipv6-only world, there's no need for separate subnets?
Define "public/private". Your server has an IPv6 address that is globally identifiable. Your gateway may not necessarily route traffic to it.
>(in ipv4 world, you know that server is truly unreachable via public internet)
You don't know that, because a port forward rule on the gateway would route traffic to it after doing NAT. And if you made the effort to know that your gateway doesn't have such a rule, then you can equally make the effort to know that your gateway doesn't have a rule to forward traffic to the server's subnet.
> Is the general model of public/private subnet still valid? Or are you saying in a ipv6-only world, there's no need for separate subnets?
This is one thing that's actually been vastly improved in IPv6 (IMO), though I guess it is somewhat more complicated, it is standardized.
In the IPv4 model, your hosts get 'internal' addresses and some gateway device translates these addresses to/from the associated 'public' addresses as necessary. Behaviour when multiple addresses are assigned is undefined, and there are plenty of weird corner cases with internal hosts trying to hit the public addresses of forwarded services and such.
In the typical IPv6 model, your hosts (if they need to talk to the Internet) get a (or several) Globally Unique Address (GUA), which is routeable on the Internet. Optionally, hosts can also have a Unique Local Address (ULA) which is analogous to an RFC1918 address in IPv4. Because it's codified in the standard, hosts will choose the correct source address depending on the destination they want to talk to; a ULA address if the server is also ULA, and a GUA source will be chosen for talking to GUA addresses.
In a typical corporate network, you'd give hosts both classes of address, and your internal services run on ULA addressing. But in most residential or hosting environments, you'd just use GUA as there is no benefit to segregating things this way.
The reason why NAT with ipv4 works is because routers by default do not forward any incoming traffic from outside to inside host unless there is an entry in the lookup table based on ports or based on port forwarding rules. The important thing to realize is that the local ip addresses (192.x, 10.x, e.t.c) don't actually matter - they can be replaced with any schema as far as router is concerned, and made public. And this is because the core routing logic of the entry table based on port doesn't change.
Ipv6 implementation doesn't really differ in this. With IPV6 routers can deny incoming traffic to the particular machine without a previous outgoing request connection, just like in the IPV4 NAT implementation. Receiving end knowing the full ip address of the machine (and even then, with privacy extensions, that ip address will no longer be valid in a day) doesn't really do anything against you security wise.
However, unlike IPV4, if you actually want to set up connectivity across networks and in fact enable routers to forward traffic based on the ip address, you don't have to deal with NAT translation, udp hole punching, e.t.c.
And furthermore, forcing harder endpoint security is a good thing. Routers are notoriously easy to exploit in a lot of cases, and once an attacker is on a router, NAT is worthless. Likewise for IoT devices that can be exploited through http based attacks against central servers also give you the same access.
I generally see IPv6 being a better reflection of reality vs the illusion presented by IPv4/NAT. To put it another way, even if your server has no public IP address, if someone punches through your firewall it's not like that matters anymore right? If they have the keys to the kingdom they can change your network to be however they like.
If your network is a house, and your firewall is the front door, then all NAT does is force you to have a weird fractal room layout where rooms are inside rooms, inside rooms. But if a dude breaks in through your front door, it doesn't matter how many rooms you have, he will find what he wants.
IPv6 lets you have as much rooms as your want and lets you optionally send mail to specific ones. If someone breaks in they still have access to everything, but instead of having to navigate a fractal house, they have to navigate a house with a nicer layout and a trillion doors.
The metaphor is falling a part a bit here but my point is that if your server has some form of physical network connection that eventually leads to the internet, it's address scheme isn't going to help you much, even if it makes you sleep better.
> Is the general model of public/private subnet still valid?
You're getting replies that are tiptoeing around the truth, saying that the answer to this is basically 'yes' when it sure looks like the answer is firmly 'no.' My home IPv4 network isn't routable, it is a private network. If my IPv6 address is globally unique and addressable by someone across the world, my network is not private in the way that most people have come to understand the term. I'm just part of the public network but with a firewall to stop unwanted packets from reaching my local nodes.
> My home IPv4 network isn't routable, it is a private network.
An IPv6 network with a firewall configured to disallow incoming traffic isn't routable, it is a private network
> If my IPv6 address is globally unique and addressable by someone across the world, my network is not private in the way that most people have come to understand the term.
In what way? All NAT does is funnel traffic over one address (or more), that address is still exposed to the internet and it's your firewall that prevents that incoming traffic. If your firewall is compromised, then NAT isn't protecting you from anything, your network will absolutely be routable despite what you are suggesting. The assumptions you are making are part of the reason why NAT can be dangerous.
> I'm just part of the public network but with a firewall to stop unwanted packets from reaching my local nodes.
This is an oxymoron, you are either a part of the public network or you are not. The only thing that has changed is the semantics.
Is the general model of public/private subnet still valid? Or are you saying in a ipv6-only world, there's no need for separate subnets?
There's something about a server not being assigned an IP address at all that makes me sleep easy at night (in ipv4 world, you know that server is truly unreachable via public internet)