Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't know much about networking, but if you're on AWS and are using VPC then don't you have full control of the entire (virtual) network?


Sure, but it's only IPV4:

> Additionally, VPCs currently cannot be addressed from IPv6 IP address ranges.

http://aws.amazon.com/vpc/faqs/

And then you still have the problem of only so many IPs per host, so it doesn't help with lots of containers.


Anyone got the inside story on why in 2015 Amazon doesn't support IPv6?


IPv6 is hard. It's hard to optimize, it's hard to harden, and it's hard to protect against.

One small example: How do you implement a IPv6 firewall which keeps all of China and Russia out of your network? (My apologies to folks living in China and Russia, I've just seen a lot of viable reasons to do this in the past).

Another small example: How do you enable "tcp_tw_recycle" or "tcp_tw_reuse" for IPv6 in Ubuntu?


> How do you implement a IPv6 firewall which keeps all of China and Russia out of your network?

You do this by blocking the IP ranges that are assigned to China and Russia. Same as you would with IPv4, why would that change?

Also, tcp_tw_recycle when set for IPv4 also applies for IPv6, despite the name...


Maybe we should start thinking of security in terms of 'how can we build things that are actually secure by design' instead of 'how can we use stupid IP-level hacks to block things because our stuff is swiss cheese'?


None of this really applies to VPC (which is a private virtual network for only your own hosts and access is restricted lower down than at the ip layer). You actually can have a public IPv6 address on AWS, it just has to go through ELB.


You actually have it a bit backwards: you can only assign an IPv6 address to an ELB if it's not in a VPC.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/Devel...

Crazy, right? Especially since new customers are forced to use VPC and don't even have the option of falling back to EC2-Classic.


To be clear, I was not saying that you can give an ELB in a VPC an IPv6 address. I was saying you can give a non-VPC ELB an IPv6 address. Basically I was pointing out that, however imperfect, Amazon has chosen to prioritize public access to IPv6 over private use of it.


Ah, sorry for the misunderstanding then.


Actually, it does apply, even in a VPC. The inability to tune TCP sockets affects your ability to scale certain services.

It also makes routing within your VPC so much more entertaining to manage.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: