Dear All,

With the proliferation of IPv6 I hear more and more often that NAT is a great security mechanism because it hides your intranet infrastructure from outsiders, and how unfit IPv6 is for enterprise networks because it lacks the notion of NAT which makes IPv6 networks so very very much insecure.

Do you have good conter-arguments?

Indeed, in some corporate networks I've seen, the use of the RFC1918 address space is written into security guidelines as a requirement.

Then again, as I come to think of it, even if your IPv6 intranet has a good firewall on the border, your internal network addresses are still exposed to the Internet. Is that a problem?

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20160322-b20160322
* Origin: Ulthar (2:5005/49)

On 01-25-19 23:46, Victor Sudakov wrote to All <=-

Dear All,

With the proliferation of IPv6 I hear more and more often that NAT is a great security mechanism because it hides your intranet infrastructure from outsiders, and how unfit IPv6 is for enterprise networks because
it lacks the notion of NAT which makes IPv6 networks so very very much insecure.

Do you have good conter-arguments?

NAT was never intended as a security mechanism, and it does nothing more than goof packet filter could do.

Indeed, in some corporate networks I've seen, the use of the RFC1918 address space is written into security guidelines as a requirement.

Then again, as I come to think of it, even if your IPv6 intranet has a good firewall on the border, your internal network addresses are still exposed to the Internet. Is that a problem?

If your firewall is blocking traffic, you can hardly say you're exposed.

NAT still creates a lot of problems, ask anyone who'd wrestled with port forwarding, to try and get services opened to the Internet.


... Each experiment, success or failure, is a learning experience.
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Hello Victor!

Jan 25 23:46 2019, Victor Sudakov wrote to All:

With the proliferation of IPv6 I hear more and more often that NAT is
a great security mechanism because it hides your intranet
infrastructure from outsiders,

There's a lot of misunderstanding of NAT and security. The typical case is that NAT is done by a dedicated firewall or a router with firewall features, i.e. the firewall/router does packet filtering and NAT. So a lot of people think that NAT implies security, but it doesn't. NAT is exactly what the acronym says: network address translation. An 1:1 NAT simply translates one address or subnet to another. How could that provide any security? What you need is packet filtering (plus proxies and so on).

infrastructure from outsiders, and how unfit IPv6 is for enterprise networks because it lacks the notion of NAT which makes IPv6 networks so very very much insecure.

There's also NAT for IPv6. BTW, IPv6 has a nice feature called Privacy Extensions to automatically change IP addresses regularly.

ciao,
Markus

---
* Origin: *** theca tabellaria *** (2:240/1661)

Dear Tony,

26 Jan 19 20:29, you wrote to me:

With the proliferation of IPv6 I hear more and more often that
NAT is a great security mechanism because it hides your intranet
infrastructure from outsiders, and how unfit IPv6 is for
enterprise networks because it lacks the notion of NAT which
makes IPv6 networks so very very much insecure.

Do you have good conter-arguments?

NAT was never intended as a security mechanism,

It was not intended as a security mechanism initially, but over time, it became one, and is required by many security guidelines. Ask some computer security specialist you trust, if you don't believe me.

and it does nothing
more than a goof packet filter could do.

Of course it does more! No packet filter *hides* *src* *addresses* of your internal hosts, and that is exactly what security people love NAT for.

Indeed, in some corporate networks I've seen, the use of the
RFC1918 address space is written into security guidelines as a
requirement.

Then again, as I come to think of it, even if your IPv6 intranet
has a good firewall on the border, your internal network
addresses are still exposed to the Internet. Is that a problem?

If your firewall is blocking traffic, you can hardly say you're
exposed.

Sorry you are mistaken. Very few attacks nowdays are based on injecting malicious traffic into your network, those times are long gone. Information gathering about your intranet could be much more important than the ability to send traffic into it from outside.

NAT still creates a lot of problems, ask anyone who'd wrestled with
port forwarding, to try and get services opened to the Internet.

That's a different story, I myself have wrestled enough with IPv4 NAT. So I would be happy to advocate NAT-less IPv6 to anyone, but I need arguments. Have not heard anything new so far.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20160322-b20160322
* Origin: Ulthar (2:5005/49)

Dear Markus,

26 Jan 19 12:12, you wrote to me:

With the proliferation of IPv6 I hear more and more often that
NAT is a great security mechanism because it hides your intranet
infrastructure from outsiders,

There's a lot of misunderstanding of NAT and security. The typical
case is that NAT is done by a dedicated firewall or a router with
firewall features, i.e. the firewall/router does packet filtering and
NAT. So a lot of people think that NAT implies security, but it
doesn't.

The security guidelines I have read don't specify "NAT must be used." They specify "RFC1918 addresses must be used in the internal network."

NAT is exactly what the acronym says: network address
translation. An 1:1 NAT simply translates one address or subnet to another. How could that provide any security?

A static NAT has limited usage and indeed does not provide much additional security. But the dynamic NAT and especially PAT provide a very important security feature no packet filter provides: they *hide* the *source* *addresses* of internal hosts thus effectively hiding the network structure from outsiders.

What you need is packet
filtering (plus proxies and so on).

Yes, a proxy would do the same hiding as a dynamic NAT.

infrastructure from outsiders, and how unfit IPv6 is for
enterprise networks because it lacks the notion of NAT
which makes IPv6 networks so very very much insecure.

There's also NAT for IPv6.

Never heard of that, other than DNS64/NAT64 which are for a different purpose.

BTW, IPv6 has a nice feature called Privacy
Extensions to automatically change IP addresses regularly.

Yes, with Privacy Extensions it becomes more difficult to map a single host, but all your /64 internal networks are still mappable. For example, by analyzing browsing behaviour, you can easily guess which /64 in your company is for engineering staff and which is for the management.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20160322-b20160322
* Origin: Ulthar (2:5005/49)

Hi Victor!

Jan 26 21:49 2019, Victor Sudakov wrote to Markus Reschke:

The security guidelines I have read don't specify "NAT must be used." They specify "RFC1918 addresses must be used in the internal
network."

For IPv6 they could use ULA (RFC4193). ;)

A static NAT has limited usage and indeed does not provide much additional security. But the dynamic NAT and especially PAT provide a very important security feature no packet filter provides: they
*hide* the *source* *addresses* of internal hosts thus effectively
hiding the network structure from outsiders.

And some dumbass enables UPnP on the firewall/router. >:) If an organization thinks that it has to hide the internal IP addresses for security reasons it can use NAT or proxies. Anyway, they still need much more than that to secure their network.

There's also NAT for IPv6.

Never heard of that, other than DNS64/NAT64 which are for a different purpose.

NAT66

ciao,
Markus

---
* Origin: *** theca tabellaria *** (2:240/1661)

Hello Victor,

On Saturday January 26 2019 21:18, you wrote to Tony Langdon:

Of course it does more! No packet filter *hides* *src* *addresses* of
your internal hosts,

So what? A device on the LAN that communicates with the outside world uses a public address. In the case of IPv4 with NAT it is a public WAN address of the router. In case of IPv6 it is a public address in the prefix range assigned to the router. In either case the address used is "exposed".

and that is exactly what security people love NAT for.

Hmmm... I would rather not put my faith in the hands of a "security expert" that believes in "security through obscurity"...


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Dear Markus,

26 Jan 19 16:26, you wrote to me:

The security guidelines I have read don't specify "NAT must be
used." They specify "RFC1918 addresses must be used in the
internal network."

For IPv6 they could use ULA (RFC4193). ;)

Good point. Thank you. Maybe fc00::/7 has a chance of becoming the new 192.168/16.

A static NAT has limited usage and indeed does not provide much
additional security. But the dynamic NAT and especially PAT
provide a very important security feature no packet filter
provides: they *hide* the *source* *addresses* of internal hosts
thus effectively hiding the network structure from outsiders.

And some dumbass enables UPnP on the firewall/router. >:)

I don't think enterprise-class firewalls have UPnP, do they?

And thinking about SOHO and home routers/firewalls, what kind of IPv6 connectivity are they going to have, what do you think? Those present who have native IPv6 connectivity, what's your ISP's policy on assigning addresses to customers?

If my ISP were going to give me one IPv6 address (a /128) or even one /64 net, this would be too few for my purposes. For my current home network, I use five /64s, so for me it would be a /56 at least.

If an
organization thinks that it has to hide the internal IP addresses for security reasons it can use NAT or proxies. Anyway, they still need
much more than that to secure their network.

There's also NAT for IPv6.

Never heard of that, other than DNS64/NAT64 which are for a
different purpose.

NAT66

Interesting. Do you know of any implementations that could translate ULA addresses into one global /64 pool?

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20160322-b20160322
* Origin: Ulthar (2:5005/49)

Dear Michiel,

27 Jan 19 00:10, you wrote to me:

Of course it does more! No packet filter *hides* *src*
*addresses* of your internal hosts,

So what? A device on the LAN that communicates with the outside world
uses a public address.

Are you pulling my leg, or don't you really understand the difference? A *thousand* devices on the LAN use *one* public address (or maybe a dozen public addresses) when communicating with the outside world.

In the case of IPv4 with NAT it is a public WAN
address of the router. In case of IPv6 it is a public address in the prefix range assigned to the router.

But the devices on the LAN become uniqely mappable from the outside. That's the point. In the case without NAT (a global IP address per internal host), the bad guys will have to resort to canvas fingerprinting, cookie abuse or other less reliable techniques.

In either case the address used
is "exposed".

and that is exactly what security people love NAT for.

Hmmm... I would rather not put my faith in the hands of a "security expert" that believes in "security through obscurity"...

Do you call *any* attempt to keep sensitive information private "security through obscurity"? Would you also, for example, call RFC4941 mechanism "security through obscurity"? Then you probably misunderstand the terminology.

Besides, speaking about private addresses proper, you often have no choice: this requirement has made it into too many security checklists and would be too difficult to get rid of even if we wanted.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20160322-b20160322
* Origin: Ulthar (2:5005/49)

Hello Victor,

On Sunday January 27 2019 15:08, you wrote to Markus Reschke:

And thinking about SOHO and home routers/firewalls, what kind of IPv6 connectivity are they going to have, what do you think? Those present
who have native IPv6 connectivity, what's your ISP's policy on
assigning addresses to customers?

My ISP assigns a /56 on a home connection and a /48 on a bussines pro connection. Some other ISPs in The Netherlands also offer a /48 for a home connection as well.

A /48 should be enough for any big enterprise...

If my ISP were going to give me one IPv6 address (a /128) or even one
/64 net, this would be too few for my purposes. For my current home network, I use five /64s, so for me it would be a /56 at least.

If you need more than a /56 on a home network, you are doing something wrong.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

On 01-26-19 21:18, Victor Sudakov wrote to Tony Langdon <=-

It was not intended as a security mechanism initially, but over time,
it became one, and is required by many security guidelines. Ask some computer security specialist you trust, if you don't believe me.

Well, having compared notes, I am wary of anyone who calls themselves a "specialist" without personal knowledge and trust of the person. :) I've certainly heard a lot of dodgy stories about so-called "specialists" in networking from a very trusted source over the years.

Of course it does more! No packet filter *hides* *src* *addresses* of
your internal hosts, and that is exactly what security people love NAT for.

True, but IPv6 has mechanisms for source IP privacy without NAT.

Sorry you are mistaken. Very few attacks nowdays are based on injecting malicious traffic into your network, those times are long gone. Information gathering about your intranet could be much more important than the ability to send traffic into it from outside.

That is a good point.

NAT still creates a lot of problems, ask anyone who'd wrestled with
port forwarding, to try and get services opened to the Internet.

That's a different story, I myself have wrestled enough with IPv4 NAT.
So I would be happy to advocate NAT-less IPv6 to anyone, but I need arguments. Have not heard anything new so far.

Yeah so have I and it's a pain in the proverbial.


... Sir, the Romulans do not take prisoners!
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Dear Michiel,

27 Jan 19 10:55, you wrote to me:

And thinking about SOHO and home routers/firewalls, what kind of
IPv6 connectivity are they going to have, what do you think?
Those present who have native IPv6 connectivity, what's your
ISP's policy on assigning addresses to customers?

My ISP assigns a /56 on a home connection

As a standard package?

and a /48 on a bussines pro
connection. Some other ISPs in The Netherlands also offer a /48 for a
home connection as well.

A /48 should be enough for any big enterprise...

If my ISP were going to give me one IPv6 address (a /128) or even
one /64 net, this would be too few for my purposes. For my
current home network, I use five /64s, so for me it would be a
/56 at least.

If you need more than a /56 on a home network, you are doing something wrong.

Unfortunately I don't have native IPv6 connectivity, and HE does not offer /56s on its tunnels, only /48s so I don't have much choice.

I've tried several times to switch to Rostelecom who is rumored to offer IPv6 connectivity, but as soon as I start talking with their salespeople they fall into stupor and promise to call later.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20160322-b20160322
* Origin: Ulthar (2:5005/49)

Dear Tony,

27 Jan 19 20:11, you wrote to me:

It was not intended as a security mechanism initially, but over
time, it became one, and is required by many security guidelines.
Ask some computer security specialist you trust, if you don't
believe me.

Well, having compared notes, I am wary of anyone who calls themselves
a "specialist" without personal knowledge and trust of the person. :)
I've certainly heard a lot of dodgy stories about so-called
"specialists" in networking from a very trusted source over the years.

Not all IT security specialists are competent, that is true and can be said about any specialists. But the requirement of using private IP address space has made it into too many security guidelines. A Mr. Mordac can be competent or incompetent, but he has checklists to follow.

Of course it does more! No packet filter *hides* *src*
*addresses* of your internal hosts, and that is exactly what
security people love NAT for.

True, but IPv6 has mechanisms for source IP privacy without NAT.

Unfortunately, those mechanisms don't provide privacy of your /64 nets, i.e. the nets still remain mappable.

[dd]


Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20160322-b20160322
* Origin: Ulthar (2:5005/49)

Hi Victor!

Jan 27 15:08 2019, Victor Sudakov wrote to Markus Reschke:

Good point. Thank you. Maybe fc00::/7 has a chance of becoming the
new 192.168/16.

I'd recommend to use fd00::/8 since fc00::/8 was meant to be some kind of globally unique local address space managed by a registry (-> B2B VPNs).

I don't think enterprise-class firewalls have UPnP, do they?

Most don't. But you never know what e-junk some company uses. >:)

And thinking about SOHO and home routers/firewalls, what kind of IPv6 connectivity are they going to have, what do you think? Those present
who have native IPv6 connectivity, what's your ISP's policy on
assigning addresses to customers?

/64 as xfer network and a /56 for the LAN (both dynamic, forced change every 6 months).

Interesting. Do you know of any implementations that could translate
ULA addresses into one global /64 pool?

Cisco, Juniper, Linux, ...
However, you need to check the details for each box and firmware. For example, Linux can hide the complete LAN behind a single IPv6 address.

ciao,
Markus

---
* Origin: *** theca tabellaria *** (2:240/1661)

Dear Markus,

27 Jan 19 13:49, you wrote to me:

Good point. Thank you. Maybe fc00::/7 has a chance of becoming
the new 192.168/16.

I'd recommend to use fd00::/8 since fc00::/8 was meant to be some kind
of globally unique local address space managed by a registry (-> B2B VPNs).

fc00::/7 is from RFC4193, and where is fd00::/8 defined?

I don't think enterprise-class firewalls have UPnP, do they?

Most don't. But you never know what e-junk some company uses. >:)

And thinking about SOHO and home routers/firewalls, what kind of
IPv6 connectivity are they going to have, what do you think?
Those present who have native IPv6 connectivity, what's your
ISP's policy on assigning addresses to customers?

/64 as xfer network and a /56 for the LAN (both dynamic, forced change every 6 months).

If you want a static address?

Interesting. Do you know of any implementations that could
translate ULA addresses into one global /64 pool?

Cisco, Juniper, Linux, ...
However, you need to check the details for each box and firmware. For example, Linux can hide the complete LAN behind a single IPv6 address.

That's nice.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20160322-b20160322
* Origin: Ulthar (2:5005/49)

Hi Michiel!

Jan 27 00:10 2019, Michiel van der Vlist wrote to Victor Sudakov:

and that is exactly what security people love NAT for.

MvdV> Hmmm... I would rather not put my faith in the hands of a "security
MvdV> expert" that believes in "security through obscurity"...

Basically, I fully agree. There are several methods to map an internal network. If one doesn't work, the bad guy simply tries another. But it could make senses to hide internal addresses as part of a security concept. If I'm concerned about my network security I would go for application level gateways which act as proxy and also filter stuff application specific. NAT doesn't prevent malicious web content to be downloaded while browsing the web.

ciao,
Markus

---
* Origin: *** theca tabellaria *** (2:240/1661)

Good ${greeting_time}, Victor!

27 Jan 2019 21:12:10, you wrote to Markus Reschke:

Good point. Thank you. Maybe fc00::/7 has a chance of becoming
the new 192.168/16.

I'd recommend to use fd00::/8 since fc00::/8 was meant to be some
kind of globally unique local address space managed by a registry

B2B VPNs).

fc00::/7 is from RFC4193, and where is fd00::/8 defined?

Guess!


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

... GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
--- /bin/vi
* Origin: http://openwall.com/Owl (2:5020/545)

Hello Victor!

Jan 27 21:12 2019, Victor Sudakov wrote to Markus Reschke:

fc00::/7 is from RFC4193, and where is fd00::/8 defined?

Same RFC:

3.1. Format

The Local IPv6 addresses are created using a pseudo-randomly
allocated global ID. They have the following format:

| 7 bits |1| 40 bits | 16 bits | 64 bits |
+--------+-+------------+-----------+----------------------------+
| Prefix |L| Global ID | Subnet ID | Interface ID |
+--------+-+------------+-----------+----------------------------+

Prefix FC00::/7 prefix to identify Local IPv6 unicast
addresses.

L Set to 1 if the prefix is locally assigned.
Set to 0 may be defined in the future. See
Section 3.2 for additional information.

If you want a static address?

Then I would have to change my consumer DSL to a business one.

ciao,
Markus

---
* Origin: *** theca tabellaria *** (2:240/1661)

Hello Victor,

On Sunday January 27 2019 18:05, you wrote to me:

My ISP assigns a /56 on a home connection

As a standard package?

Too early to tell. They (Ziggo) were very slow to roll out IPv6. After telling the customers that they would be rolling out IPv6 "later this year" for the last decade, they finally started moving in 2016. But it is still "unofficial", they have not yet published an official policy on IPv6. It is still a surprise if after a modem change, you will have Dual Stack, DSLite or IPv4 only. Customers that have IPv6 report they have a /56. But nothing "official" from the ISP...

and a /48 on a bussines pro connection.

THAT is what they offically advertise for the Bussines Pro connection.

If you need more than a /56 on a home network, you are doing
something wrong.

Unfortunately I don't have native IPv6 connectivity, and HE does not
offer /56s on its tunnels, only /48s so I don't have much choice.

So? Just use whatever you need from the /48 and ignore the rest. There is no shortage of IPv6 addresses,,,

I've tried several times to switch to Rostelecom who is rumored to
offer IPv6 connectivity, but as soon as I start talking with their salespeople they fall into stupor and promise to call later.

Be patient. I have been pestering Ziggo for a decade before they stopped dragging their feet on IPv6. ;-)


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Hello Markus,

On Sunday January 27 2019 13:49, you wrote to Victor Sudakov:

Good point. Thank you. Maybe fc00::/7 has a chance of becoming
the new 192.168/16.

How about fe80::/10 (Link Local Address...)

I'd recommend to use fd00::/8 since fc00::/8 was meant to be some kind
of globally unique local address space managed by a registry (-> B2B VPNs).

It started out as "Site Local Adresses". But since it was difficult to define what a "site" was, it was rebranded to Unique Local Address... And indeed fc00::/8 is presently "undefined".

https://en.wikipedia.org/wiki/Unique_local_address

For what it is worth, I registered fd51:550:40b9::/48 with SixXs...

/64 as xfer network and a /56 for the LAN (both dynamic, forced change every 6 months).

Here the addresses are labelled as "dynamic", but like the "dynamic IPv4" addresses, they are semi static. IPv4 adresses only change when the WAN side MAC address of the router changes. IPv6 is less predictable. It did not change for a year until this morning when I did a soft reset on the cable modem/router.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Hi Michiel!

Jan 28 16:36 2019, Michiel van der Vlist wrote to Markus Reschke:

Good point. Thank you. Maybe fc00::/7 has a chance of becoming
the new 192.168/16.

MvdV> How about fe80::/10 (Link Local Address...)

Sorry, link local addresses are limited to a single broadcast domain and must not be routed.

ciao,
Markus

---
* Origin: *** theca tabellaria *** (2:240/1661)

On 01-27-19 10:55, Michiel van der Vlist wrote to Victor Sudakov <=-

My ISP assigns a /56 on a home connection and a /48 on a bussines pro connection. Some other ISPs in The Netherlands also offer a /48 for a home connection as well.

Mine assigns a /56 as well.

If you need more than a /56 on a home network, you are doing something wrong.

Yeah a /56 is more than I'll ever use. Currently using only one /64, but that may change down the track as things change - if I ever assign a block to packet
radio, or get into IoT and want to keep that separate from the home LAN, but I don't see myself using more than a handful of /64s, certainly not 256 of them. :)


... Look Twice... Save a Life!!! Motorcycles are Everywhere!!!
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

On 01-27-19 18:01, Markus Reschke wrote to Victor Sudakov <=-

Then I would have to change my consumer DSL to a business one.

That's annoying. My ISP has 3 tiers of service.

Default (consumer) - dynamic IPv4 address and IPv6 prefix.

"Power Pack" - static IPv4 and IPv6 prefix (this is what I have). Also some other differences.

Business - static IPv4, optional /29, static IPv6 prefix, and priority support.


... Features should be discovered, not documented.
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Dear Michiel,

28 Jan 19 15:51, you wrote to me:

[dd]

If you need more than a /56 on a home network, you are doing
something wrong.

Unfortunately I don't have native IPv6 connectivity, and HE does
not offer /56s on its tunnels, only /48s so I don't have much
choice.

So? Just use whatever you need from the /48 and ignore the rest. There
is no shortage of IPv6 addresses,,,

Currently there are only 35 trillion /48 networks in the global 2000::/3 pool, if I've counted correctly. One trillion is not that many, it's the quantity of stars in the Andromeda galaxy, or the quantity of bacteria living in one human being...

With the 64bit interface identifier, there will probably never be a shortage of IPv6 *addresses* in a network, but well may be a shortage of IPv6 network *blocks* if they are given out in an irresponsive manner. IMHO.

I've tried several times to switch to Rostelecom who is rumored
to offer IPv6 connectivity, but as soon as I start talking with
their salespeople they fall into stupor and promise to call
later.

Be patient. I have been pestering Ziggo for a decade before they
stopped dragging their feet on IPv6. ;-)

:-)


Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20160322-b20160322
* Origin: Ulthar (2:5005/49)