Vpn – Does IPv6 remove the need for a VPN

ipv4ipv6mobilenat;vpn

I know that a VPN may be used in lots of different ways for lots of different things, so I'm not suggesting that IPv6 removes the need for a VPN completely.
I'm interested in one particular use-case:

I have a cellular (GSM) router, and traditionally, a standard SIM from my local network operator will give me a dynamic IPv4 address. In order to be able to reach my router from the internet, today I use a VPN. This does 2 things:

It gives my router a static IPv4 address. This will not change, if the dynamic IPv4 address assigned by the operator changes, or if I change operators.
It allows me to traverse the operator's NAT firewall. If my router is acting as a server, I can initiate a connection to it.

I'm still learning about IPv6, but it seems to me that if a network operator supports IPv6 (say Verizon Wireless in the US), then I no longer need a VPN:

3GPP cellular operators use SLAAC, and I get a Global Unicast Address. This, by definition, is globally-routable. There is no NAT.
I know what /64 prefix the operator assigns, and I know what Interface ID will be used (either EUI-64 or RFC 7217), so I have a static IPv6 address.

Is this correct? Or am I missing something?

Of course, I'm aware that a VPN provides extra security, because it adds authentication and encryption. But lets assume for the purposes of this discussion that I will use an IPv6 firewall, or IPsec, or TLS at the application layer, for security.

I know I could continue to use a VPN with IPv6, and this would allow me to use Unique Local IPv6 Addresses just like my old private IPv4 addresses. But why would I need to?

Best Answer

I think your idea that consumer and mobile ISPs will give out static IPv6 is optimistic to say the least. Some may do so but many probably will not.

VPNs provide two main features.

They provide protection for the traffic against evesdropping, spoofing, replay attacks and so-on.
They decouple your addressing and routing from the operators of your underlying networks.

Feature 2 is useful for many reasons.

You can work around "outgoing connections only" firewalls/NATs. While Nat is strongly discouraged for v6 "outgoing connections only firewalls are likely to remain common.
You can keep a consistent IP address on machines even when your provider readdresses their networks.
You can keep a consistent IP address on machines even when they move location or provider.
Due to the above two points you can more easily use IP based access control, either within your own networks or for access to third party services.
If you have high quality links between your campuses around the world and good connections from each campus into the local broadband/mobile providers you can route traffic from your mobile and work at home users down those links rather than down whatever shitty transit their "broadband" provider bought.

Some of these may be less of an issue in a v6 world but I expect that VPNs will still be useful in general and will likely remain a good solution for administering remote devices.

Related Solutions

IPv4 shortage is now becoming a reality – what is needed for IPv6 to work

Answers to your questions:

No, just because device supports IPv6 it doesn't mean it support IPv4<>IPv6 transition mechanisms - they're not part of IPv6 protocol specification. So, it may support translating traffic from IPv4 to IPv6 and vice versa but it needs to support mechansism like NAT64.
Nodes communicate with the protocol of their choice, depending on the higher layer calls. If your browser points to a name, and the name resolves to IPv4 only, IPv4 will be called in to service it. If it resolves to both IPv6 and IPv4, IPv6 should take precedence, but a lot was done in recent years to make both calls simultaneusly and check which one is faster.
You need to have node that is dual-stacked, so supports both IPv4 and IPv6 or have support of translating between protocols somewhere along the way. If your router supports it - fine, if your ISP supports it - it's also fine.
You should see IPv6 as it should take precedence. If not, your IPv6 connectivity, at least to this specific site is broken. If you can use only IPv6 (you are not dual stacked) you can only reach around 4-5k prefixes around the internet, which is very small percent (out of 500k for IPv4). Normally, hosts are dual-stacked however, so you should be fine - using IPv6 for IPv6-enabled services, and IPv4 for all the rest.
That depends on the type of the service your ISP provides. You may have private IPv4 assigned to your internet interface, and it gets translated somewhere at the ISP edge. You may have public IPv4.
For SSL/TLS you're using names, not IPs directly. You should be fine.
Yes, while there are still works to provide NAT services for IPv6, general idea about IPv6 was to stop doing NAT, and provide global connectivity. It means that with IPv6 assignment, your entire internal network may be directly reachable from other parts of the internet, if you're using IPv6 addresses from the Global Unicast space. For IPv6 you can use other types, like for example Link Local only, which would provide internal connectivity, but block ability to access from remote locations. Generally, you should filter the traffic at the edge of your network if you don't want the internet to access your resources/nodes.
Unfortunately, I don't understand the question. Cloud services are usually OK with IPv6, Amazon at least is.
Start from here: http://test-ipv6.com/

Cisco 6rd configuration example – ipv6 general-prefix

ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel0

This line defines DELEGATED_PREFIX. It automatically calculates the IPv6 prefix based on the 6rd settings of the Tunnel0 interface.

ipv6 address DELEGATED_PREFIX ::/128 anycast (on int Tunnel 0)

This line sets an IPv6 address on the Tunnel0 interface using the DELEGATED_PREFIX defined before. It tells the router to take the prefix, leave the other bits zero (::) and configure it as a single anycast address. The anycast flag tells the router that the address may be used on multiple devices at the same time. It will therefore not perform any Duplicate Address Detection (not really relevant for a tunnel interface) and it will not use that address as a source address (because the return traffic might end up at one of the other anycast nodes).

ipv6 address DELEGATED_PREFIX ::/64 eui-64 (on int Ethernet 0)

This does the same for the Ethernet0 interface. It uses the DELEGATED_PREFIX to give an address to the interface. One problem is that you're using the same subnet on the tunnel interface. You should use separate subnets for different interfaces. The eui-64 flag tells the router to generate the last 64 bits of the interface address based on its MAC address.

An example to (hopefully) make things clearer:

Let's take the 6rd settings from the example:

6rd IPv4 prefix: 10.0.0.0/8
6rd IPv6 prefix: 2001:db80::/28

Then if your router has IPv4 address 10.0.0.10 you will get IPv6 prefix 2001:db80:0:a000::/52. The /8 in the IPv4 prefix means that the first 8 bits are fixed. So when constructing the IPv6 prefix it will only use the last 24 (32 - 8) bits from the IPv4 address. These have binary value 0000 0000 0000 0000 0000 1010. When written in hexadecimal that is 00 00 0a. This is appended to the /28 IPv6 prefix, giving a /52 (28 + 24).

So DELEGATED_PREFIX will get value 2001:db80:0:a000::/52. Therefore the Tunnel0 interface will get address 2001:db80:0:a000::/128 and the Ethernet0 interface will get something like 2001:db80:0:a000:1234:56ff:fe78:90ab/64 (assuming MAC address 12.34.56.78.90.ab).

It would be better to give the ethernet interface an address from a different subnet, like:

ipv6 address DELEGATED_PREFIX 0:0:0:1::/64 eui-64

That would result in 2001:db80:0:a001:1234:56ff:fe78:90ab/64. And if you don't want to make the address dependent on the MAC address you can also just give it a fixed address:

ipv6 address DELEGATED_PREFIX 0:0:0:1::1/64

That would result in 2001:db80:0:a001::1/64.

Best Answer

Related Solutions

IPv4 shortage is now becoming a reality – what is needed for IPv6 to work

Cisco 6rd configuration example – ipv6 general-prefix

Related Topic