I noticed something interesting the other day. If you are a typical
home user with cable or DSL Internet service, and your provider gives
you native IPv6 addresses and you desire to firewall the devices on
your home network; since IPv6 is not using NAT, every device behind
your router gets a unique IP address, so you basically have to either
close down all IPv6 ports at the main router, OR open all IPv6 ports
at the router, and then run a software firewall on each device on the network! This is not practical or possible on many devices (gaming
consoles, smart phones, IoT devices, etc).
I can prove this by opening and closing the IPv6 firewall settings on
my provider's router. It's different with IPv4 of course. With
IPv4, you only have one IP address for ALL the devices on your
network. So you can setup the firewall to forward specific ports,
and then setup services on individual devices using those ports.
The point of this post, and my question, is there any consumer grade
router available that allows you to manage IPv6 ports on a device
basis, such as by individual IP or MAC address? There must be,
otherwise how can devices using IPv6 ever be effectively firewalled?
If you want to expose only certain services over IPv6 (SSH for
example) on one device in your network, how do you do this with
consumer grade routers?
If you want a secure network, make sure not network services are
running you don't want.
Additionally, you can use a normal hardware firewall that is fully >configurable.
The point of this post, and my question, is there any consumer grade
router available that allows you to manage IPv6 ports on a device basis,
such as by individual IP or MAC address?
Not a useful comment. I run various services for LAN use that I'd not
want exposed to the world. You can't just turn off nfs, ssh, ntp,
etc; while some LAN devices like cameras and TV etc can be safely
assumed to be unchangeably insecure.
MH's comment re fritzbox is useful to know (thank you!): I've been
wary about dipping a toe into IPV6 precisely because of the risk of
service exposure. The fritzbox (I have an ISP-supplied one) seems
quite a handy gizmo, albeit poorly documented in places.
If you want a secure network, make sure not network services are
running you don't want.
Additionally, you can use a normal hardware firewall that is fully configurable.
I noticed something interesting the other day. If you are a typical home user with cable or DSL Internet service, and your provider gives you
native IPv6 addresses and you desire to firewall the devices on your home network; since IPv6 is not using NAT, every device behind your router
gets a unique IP address, so you basically have to either close down all
IPv6 ports at the main router, OR open all IPv6 ports at the router, and
then run a software firewall on each device on the network! This is not practical or possible on many devices (gaming consoles, smart phones, IoT devices, etc).
since IPv6 is not using NAT
I noticed something interesting the other day. If you are a typical home user with cable or DSL Internet service, and your provider gives you
native IPv6 addresses and you desire to firewall the devices on your home network; since IPv6 is not using NAT, every device behind your router
gets a unique IP address, so you basically have to either close down all
IPv6 ports at the main router, OR open all IPv6 ports at the router, and
then run a software firewall on each device on the network! This is not practical or possible on many devices (gaming consoles, smart phones, IoT devices, etc).
On 2022-02-09, Mike Mocha <mocha@mailexcite.com> wrote:
I noticed something interesting the other day. If you are a
typical home user with cable or DSL Internet service, and your
provider gives you native IPv6 addresses and you desire to firewall
the devices on your home network; since IPv6 is not using NAT,
every device behind your router gets a unique IP address, so you
basically have to either close down all IPv6 ports at the main
router, OR open all IPv6 ports at the router, and then run a
software firewall on each device on the network! This is not
practical or possible on many devices (gaming consoles, smart
phones, IoT devices, etc).
I have no need for IPV6 and have it disabled on my home network. My
own router behind the ISP's gateway runs DD-WRT and has IPV6 turned
off. All of my computers and any other networked devices where it's configurable have IPV6 disabled.
Somebody's got to say it, so it might as well be me.
On 2/9/22 1:16 AM, Mike Mocha wrote:
since IPv6 is not using NAT
IPv6 NAT works perfectly fine.
Somebody's got to say it, so it might as well be me.
On 2/9/22 1:16 AM, Mike Mocha wrote:
since IPv6 is not using NAT
IPv6 NAT works perfectly fine.
I have no need for IPV6 and have it disabled on my home network. My own >router behind the ISP's gateway runs DD-WRT and has IPV6 turned off. All
of my computers and any other networked devices where it's configurable
have IPV6 disabled.
You will need that in future because IPv4 has too less addresses.
NAT is very annoying and many home user ISPs don't provide public
IPv4 addresses to their customers anymore.
They can only use IPv6 to operate a server. Now IPv4 creates additional
costs and need resources. I really like to get rid of IPv4 as soon
as possible.
But it is not recommended to use it.
It creates additional latency
stateful NAT is a relict from IPv4.
If you want the "security" feature of NAT, use an SPI firewall.
But you don't need to use it, as long as the network is sane.
True, but it destroys the way internet is designed. You can't run
your own servers at home. This will just support big tech companies
and destroy the original concept of the internet.
NAT is annoying to /some/. Many if not most of the home users don't
even realize that their router doesn't have a globally routed IP.
Most of those aren't aware that their workstation quite likely
doesn't have a globally routed IP.
NAT, despite it's various cons, is simple and reliable enough that
it's the defacto way that the vast majority of the world accesses the Internet.
NAT can be multiple things. Some of them provide zero security.
Remember, port forwarding -- which is a thing in IPv6 -- is at it's
roots NAT. There are definitely uses for port forwarding in IPv6.
I'd argue no implementations of NAT (by themselves) provide any
security.
I'd argue no implementations of NAT (by themselves) provide any
security.
Although you need neither port-forwarding nor NAT on v6...
On 2/10/22 12:15 PM, Dan Purgert wrote:
Although you need neither port-forwarding nor NAT on v6...
Maybe. Maybe not.
It depends on the network topology and other layers of the stack,
including layers 8 (politics) and 9 (money) influence this.
Am Donnerstag, 10. Februar 2022, um 19:14:32 Uhr schrieb Dan Purgert:
I'd argue no implementations of NAT (by themselves) provide any
security.
stateful NAT (regardless if NAT44/NAT64) provides implicit seceurity.
It is like an SPI firewall, without a static NAT rule (port forwarding)
you can't access the devices behind the NAT.
On 2/10/22 12:15 PM, Dan Purgert wrote:
Although you need neither port-forwarding nor NAT on v6...
Maybe. Maybe not.
It depends on the network topology and other layers of the stack,
including layers 8 (politics) and 9 (money) influence this.
If you like to have more work (NAT is annoying if using DNS names
inside and outside of the NAT net), then you can set up NAT for IPv6.
I like the easy way that means no NAT at all whenever possible.
Network is one of the things that last very long, so I don't like
nasty stuff like NAT there.
To rephrase slightly --
The sheer number of available addresses is such that NAT is not an
inherent requirement of setting up a new IPv6 network that is intended
to communicate with the wider internet.
This is in contrast to an IPv4 network, wherein the vast majority of
devices will be configured for an address contained within RFC1918
space, and will therefore require NAT to communicate to the wider
internet.
On 2/10/22 12:14 PM, Dan Purgert wrote:
I'd argue no implementations of NAT (by themselves) provide any[...]
security.
I think that Stateful NAT that dynamically maps between internal and
external IP(s) & port(s) probably provides some inherent security in the
fact that incoming connections will fail if there isn't associated NAT
state data to support the connection.
You have to be using a ISP that has it implemented and my last two do not.
On 2/10/22 12:30 AM, Marco Moock wrote:
You will need that in future because IPv4 has too less addresses.
/last/ 20 years and I bet we will still be transitioning from IPv4 to
IPv6 for (at least) the /next/ 20 years.
We are far from access parity between IPv4 and IPv6. We haven't even approached the midpoint, much less started the decades long process
for IPv6 to surpass and out mode IPv4.
I've been advocating for IPv6 for a decade, and do so weekly. But I'm
a pragmatist that realizes that IPv4 is going to be around for the
rest of my career. So, for better or worse -- my money's on worse --
we have been, are, and will be in a dual protocol network.
I must have a wire crossed somewhere, as I'm fairly certain that
it's more the firewall behind things that keeps unwanted traffic from
making a mess of things, even with conntrack in the mix.
The "Stateful" part of "Stateful NAT" is the firewall sitting
immediately behind DNAT, checking to see if packets have valid states.
No firewall = no security.
"Port forwarding" (as implemented in most,if not all routers) is just a "quick and dirty NAT+Firewall rule" shortcut...
On 2/10/22 1:43 PM, Dan Purgert wrote:
[...]
This is in contrast to an IPv4 network, wherein the vast majority of
devices will be configured for an address contained within RFC1918
space, and will therefore require NAT to communicate to the wider
internet.
/me chuckles menacingly to himself. RFC 1918. There are a LOT of other non-globally routed addresses that can be used. Then there are the
globally routed IP addresses that can be stomped on. }:-)
On 2/10/22 1:25 PM, Dan Purgert wrote:
The "Stateful" part of "Stateful NAT" is the firewall sitting
immediately behind DNAT, checking to see if packets have valid states.
No firewall = no security.
I disagree.
To me, Stateful Packet Inspection and NAT State are two different
things. Especially considering that iptables uses two different configurations for SPI and NAT. [...]
"Port forwarding" (as implemented in most,if not all routers) is just a
"quick and dirty NAT+Firewall rule" shortcut...
Now we delve into what is "port forwarding". [...]
On 2/10/22 2:33 PM, Vincent Coen wrote:
You have to be using a ISP that has it implemented and my last two
do not.
Having (native) IPv6 from an ISP is really helpful. But it's not
strictly /required/.
My current ISP doesn't support IPv6. Yet I use IPv6 every single day.
You can do what I do and get an IPv6 in IPv4 tunnel from someone like Hurricane Electric.
On 2/10/22 11:49 AM, Marco Moock wrote:
There are multiple ways to fulfill "access to". Not all of them use
NAT. Not all of them even require (any version of) IP. Application
layer proxies that use something other than IP between the client and
the proxy are very interesting.
Thursday February 10 2022 21:48, Grant Taylor wrote to All:
like Hurricane Electric.
Dumb nut question 1 - So what does it do for a system that only has a
ipv4 address from the isp ?
Thanks for all the responses! Something that still is not making
sense to me, if for example we have a home network that contains many different IPv6 devices connected, how do we control what ports get
exposed on each device?
That is the primary question I was trying to ask. For example, on
one of my daily use Linux machines I have many different services
running, and as soon as I open the IPv6 firewall on my ISPs router,
it means that all of those services are open to the world!
I don't want that!Then don't let that services listen on your public IPv6 address. For
I can setup iptables on this box, but what about all the
other IPv6 devices on my network?
Random IoT devices, webcams, game consoles or whatever, I have no
idea what services they are running, and I'm worried that if someone
could get on one of those devices then they could eventually make
their way into my Linux box.
That is the primary question I was trying to ask. For example, on one of
my daily use Linux machines I have many different services running, and
as soon as I open the IPv6 firewall on my ISPs router, it means that all
of those services are open to the world! I don't want that! I can setup iptables on this box, but what about all the other IPv6 devices on my network? Random IoT devices, webcams, game consoles or whatever, I have
no idea what services they are running, and I'm worried that if someone
could get on one of those devices then they could eventually make their
way into my Linux box.
Thanks for all the responses! Something that still is not making sense
to me, if for example we have a home network that contains many different IPv6 devices connected, how do we control what ports get exposed on each device?
as soon as I open the IPv6 firewall on my ISPs router, it means that all
of those services are open to the world! I don't want that! [...]
There are a LOT of other
non-globally routed addresses that can be used.
Grant Taylor <gtaylor@tnetconsulting.net> wrote:
There are a LOT of other
non-globally routed addresses that can be used.
Which ones, for example?
IPv4 link-local (used for APIPA, no routing, 169.254.0.0/16)
All not intended for connecting to other sites, only for internal stuff.
Probably you have become so intimate with NAT and the other crutches
we need to keep v4 alive that you're dearly missing them when they're
not needed.
For v4, yes. IPv6 was carefully crafted not to need it.
to access corproate's vehicle inventory system.
Probably you have become so intimate with NAT and the other crutches
we need to keep v4 alive that you're dearly missing them when they're
not needed.
Which ones, for example?
Dumb nut question 1 - So what does it do for a system that only has
a ipv4 address from the isp ?
Reason for asking is I run a BBS and some of my downlinks have a v6
address along with a v4 and when the v4 cannot connect my system has a
quick look at v6 says protocol not supported and gives up on that poll.
Sadly, IPv6 site-local doesn't work for accessing the IPv6 internet,
despite IPv6 NAT /because/ clients won't choose them for globally
routed destinations.
You /can/ route IPv6 link-local if you get creative. }:-)
Think along the lines of a VPN. You get IPv6 inside the tunnel for
your use while the tunnel itself uses only IPv4 on the outside.
Also no auth is supported, the tunnel endpoint at the customer side
is detected only by the IPv4 address.
This is the right decision ...Probably. I still have /some/ /minor/ qualms with it.
was also intended for RF1918 addresses.
It is against the protocol to do so.
You can change the software, but then it doesn't follow the RFC's
rules.
You will need that in future because IPv4 has too less addresses. NAT
is very annoying and many home user ISPs don't provide public IPv4
addresses to their customers anymore. They can only use IPv6 to operate
a server. Now IPv4 creates additional costs and need resources. I
really like to get rid of IPv4 as soon as possible.
And you're soooooo proud of that, aren't you?
... We should
switch to IPv6 ASAP.
I've been hearing that song and dance for the last 20 years. Sorry
to disappoint you but I doubt IPV4 will be going away any time soon.
Sadly, IPv6 site-local doesn't work for accessing the IPv6 internet,
despite IPv6 NAT /because/ clients won't choose them for globally routed >destinations.
You /can/ route IPv6 link-local if you get creative. }:-)
On 2/11/22 6:22 AM, Marc Haber wrote:
For v4, yes. IPv6 was carefully crafted not to need it.
The thing that IPv6 has over IPv4 is the number of IP addresses. But >/utilizing/ those IP addresses brings inherent problems, not the least
of which is additional routing burden.
Picture any business wherein each location is locally owned while having
some loose affiliation with a corporate entity with different owners. A
very good example is car dealerships affiliated with a major brand or
service company. Wherein each individual location administers their
network with complete autonomy and corporate administers it's network
with complete autonomy. With that large topology in mind, consider the >potential, nay likely, complications with needing to establish
bi-directional communications between every single location and the
corporate entity such that systems at corporate can print to the
networked printer in the parts department. The C.I.R. functions as an >integration between each individual location and corporate.
NAT makes this trivial to do.
Corporate doesn't have to worry about (de)conflicting subnets across
multiple sites.
The NAT on the C.I.R. acts as an abstraction alyer allowing each side to >operate with almost complete autonomy from each other.
I have written this email using IPv4 addresses because they are simpler
/ shorter to type (and more mussle memory).
But the exact same concept
applies to IPv6 as it does to IPv4.
On 2/11/22 6:22 AM, Marc Haber wrote:
Which ones, for example?
Pick any U.S. DoD prefix for starters. }:-)
Or any other entity that you know that you're not going to communicate with.
-- Once you truly grok anycast and how it works, you can get *REALLY* >creative.
Am Samstag, 12. Februar 2022, um 00:33:44 Uhr schrieb Roger Blake:
I've been hearing that song and dance for the last 20 years. Sorry
to disappoint you but I doubt IPV4 will be going away any time soon.
I agree, IPv4 will keep for at least 10 years, but everybody not
implementing IPv6 ins his networks slows down the process.
On 2022-02-10, Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
And you're soooooo proud of that, aren't you?
Yes, as a matter of fact I am. I've been working with what is now known as >IPV4 for nearly 40 years and have no desire to learn a new protocol. It's
not likely that IPV4 will be going away in my lifetime.
-- >------------------------------------------------------------------------------
18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
The fraud of "Climate Change" -- https://RealClimateScience.com
There is no "climate crisis" -- https://climatedepot.com
------------------------------------------------------------------------------
Marco Moock <mo01@posteo.de> wrote:
Am Samstag, 12. Februar 2022, um 00:33:44 Uhr schrieb Roger Blake:
I've been hearing that song and dance for the last 20 years. Sorry
to disappoint you but I doubt IPV4 will be going away any time
soon.
I agree, IPv4 will keep for at least 10 years, but everybody not >implementing IPv6 ins his networks slows down the process.
It's like the vaccination. Things would be best if everybody did it,
but since a vocal minority doesn't do it AND TAKES PRIDE IN NOT DOING
IT, the whole process is slowed down for everybody significantly.
With the vaccination, the price we pay is lifes, with IPv6, it's only
money.
Those belong to the U.S. DoD. You're not supposed to use them.
That's a really stupid idea.
Networks are not supposed to be creative. They're supposed to work.And how is having many (upwards of 10) IPv6 addresses on a single
And the simpler they are, the more reliable are they.
You don't need to be creative to use IPv6. It's all stupid, all easy.
That's how networks should be.
On 2/12/22 2:50 AM, Marc Haber wrote:
You don't need to be creative to use IPv6. It's all stupid, all
easy. That's how networks should be.
The hardest part about IPv6 is getting an ISP that provides it.
WAY too many don't provide IPv6.
Am Samstag, 12. Februar 2022, um 19:36:15 Uhr schrieb Grant Taylor:
On 2/12/22 2:50 AM, Marc Haber wrote:
You don't need to be creative to use IPv6. It's all stupid, all
easy. That's how networks should be.
The hardest part about IPv6 is getting an ISP that provides it.
WAY too many don't provide IPv6.
I completely agree. Here in Germany many small ISPs don't provide it,
but the big ones like Deutsche Telekom provide it even for home
customers.
Am Freitag, 11. Februar 2022, um 07:28:05 Uhr schrieb Mike Mocha:
Thanks for all the responses! Something that still is not making
sense to me, if for example we have a home network that contains many
different IPv6 devices connected, how do we control what ports get
exposed on each device?
The concept of the internet (IPv4 and IPv6) is that every device has an unique address that is reachable from any other node.
NAT and all that
crap are just temporary solutions for keeping IPv4 alive.
We should
switch to IPv6 ASAP.
What do you do if the multiple enterprises are using site-local,
despite the deprecation?
How do you address the conflict /simply/ then?
On 11/02/2022 09:41, Marco Moock wrote:
Am Freitag, 11. Februar 2022, um 07:28:05 Uhr schrieb Mike Mocha:
Thanks for all the responses! Something that still is not making
sense to me, if for example we have a home network that contains
many different IPv6 devices connected, how do we control what
ports get exposed on each device?
The concept of the internet (IPv4 and IPv6) is that every device
has an unique address that is reachable from any other node.
That /was/ the original idea - back when IP networking was for a few specialised uses such as military research, universities, and a few
niche companies. Such a concept does not scale to today's networking
needs, and that has /nothing/ to do with the number of IPv4 addresses.
It is a /long/ time since computers and users have had the level of
trust that existed then. With more software, has come more security
holes. The average level of knowledge of users has dropped as
computers arrived on every desk, not just the desks of experts.
The number of connected nodes has increased dramatically over the
decades. Unique addressing is not the issue - it's an irrelevancy. A
system where any node can address any other node simply does not
scale.
So what we have is a somewhat hierarchical system - basically on two
levels. There is the "internet" which supports wide-range access and routing, with many servers directly on that network. And there is
there are countless local networks with interaction within the
network, and access to internet-based servers, but with no need for
anything outside to get in.
Rounded to the nearest tenth of a percent, all computers are
client-only. (Yes, the remaining fraction that act as servers is
important.) They are mobile phones, home computers, work desktops,
etc. All of these need to be able to access servers on the internet.
/None/ of them need to be accessed by any other computer. The only
time something tries to directly access them, is an attack from some
hacker, worm or other malware. No one wants that, or to make that
easier.
Of course you can say that it is the job of the firewall to block
incoming connections while allowing packets of established connections
to pass through from the internet. But when the firewall is already
doing this connection tracking, it can also do NAT'ing at little cost.
That then makes the routing process upstream /hugely/ easier.
What benefit would there be from each device having a unique IP
address that is used directly, without NAT? The device would /not/
be reachable from any other node - if you think that would be a good
thing, with every hacker on the other side of the globe having direct
access to your grandma's mobile, you are living on a different planet.
The only people that would see this as a direct benefit are the
Facebooks of the world, and the porn-site based scammers and
blackmailers. (That includes "legitimate" porn sites that get hacked
by scammers and blackmailers.) They'd love to know /exactly/ which
computer was used, as accurately as possible, rather than seeing
common router IP addresses.
NAT and all that
crap are just temporary solutions for keeping IPv4 alive.
NAT is a fine example of the flexibility of IP networking, and does a
fine job of helping compartmentalise and modularise the network. It
is also extremely easy to have a simple NAT setup - these days pretty
much every home has a NAT router with Wifi, that comes out of the box
with a setup that provides a basic level of security for the home
(except for the NAT routers that have hopeless default passwords).
In the days of dial-up, people would take their Windows XP machines
and connect directly to the internet, getting a global IP that was
reachable from any node. Their machine would be taken over by
hostile hackers and bots long before it had managed to download the
latest service packs and updates, which at best only blocked half the
attacks anyway. Now they connect their new Windows machines to their
NAT router, and /no/ attacks get in (until they do something stupid,
like click on a phishing email link).
We should
switch to IPv6 ASAP.
There are certainly cases where a greater availability of globally
unique addresses would be helpful. While almost all computers are not servers, /some/ are, and sometimes a unique address on the internet
would be handy.
I see some benefits to IPv6, but not enough to bother much about it as
yet. And when I do start using it seriously, it will be with NAT.
On 2/12/22 2:52 AM, Marc Haber wrote:
Networks are not supposed to be creative. They're supposed to work.And how is having many (upwards of 10) IPv6 addresses on a single
And the simpler they are, the more reliable are they.
machine /simpler/?
What do you do if the multiple enterprises are using site-local, despite
the deprecation?
How do you address the conflict /simply/ then?
On 2/12/22 2:50 AM, Marc Haber wrote:
You don't need to be creative to use IPv6. It's all stupid, all easy.
That's how networks should be.
The hardest part about IPv6 is getting an ISP that provides it.
WAY too many don't provide IPv6.
Am Sonntag, 13. Februar 2022, um 11:49:22 Uhr schrieb David Brown:
In the days of dial-up, people would take their Windows XP machines
and connect directly to the internet, getting a global IP that was
reachable from any node. Their machine would be taken over by
hostile hackers and bots long before it had managed to download the
latest service packs and updates, which at best only blocked half the
attacks anyway. Now they connect their new Windows machines to their
NAT router, and /no/ attacks get in (until they do something stupid,
like click on a phishing email link).
The main problem of that is that Windows has enabled server software
like NetBIOS over IP and SMB. This is the problem and NAT/SPI should
now solve the biggest security problem that MS was able to create? Personally, I don't care anymore about windows machines because they
are insecure by design.
NAT plays an important part in the security
in a lot of systems because it provides a huge step at keeping out
unwanted stuff while being of very little inconvenience to most users.
And it does this for practically nothing - stand-alone NAT routers for
small networks cost peanuts, and any serious router for a big network
will do it with negligible delay or overhead. There are not many
security measures that are so effective for so low cost.
Am Donnerstag, 10. Februar 2022, um 12:44:56 Uhr schrieb Grant Taylor:
On 2/10/22 12:15 PM, Dan Purgert wrote:
Although you need neither port-forwarding nor NAT on v6...
Maybe. Maybe not.
It depends on the network topology and other layers of the stack,
including layers 8 (politics) and 9 (money) influence this.
If you like to have more work (NAT is annoying if using DNS names
inside and outside of the NAT net), then you can set up NAT for IPv6.
I like the easy way that means no NAT at all whenever possible.
Network is one of the things that last very long, so I don't like nasty
stuff like NAT there.
NAT tends to be not only more work but also worse functionality. I'm
mainly thinking of how NAT keeps state in the routers, and that home
routers tend to drop the state after a while so that e.g. long-lived
TCP sessions tend to silently stop working.
Frontier Fios here in Dallas Texas gives ipv4
$ wget -qO -http://icanhazip.com
47.183.233.188
As long as/you/ are all right, screw the rest of the world?
On 2/13/22 01:59, Bit Twister wrote:
Frontier Fios here in Dallas Texas gives ipv4
$ wget -qO -http://icanhazip.com
47.183.233.188
att gives me
2600:1700:79b1:20c0:2f4:8dff:fea6:fc3b
no clue, just in passing.
I agree, IPv4 will keep for at least 10 years, but everybody not
implementing IPv6 ins his networks slows down the process.
With the vaccination, the price we pay is lifes, with IPv6, it's only
money.
Quoting the signature for a reason. I am not surprised.
End of discussion for me.
On 2022-02-12, Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
Quoting the signature for a reason. I am not surprised.
End of discussion for me.
In other words you cannot support your position(s).
Am Sonntag, 13. Februar 2022, um 19:43:03 Uhr schrieb Jorgen Grahn:
NAT tends to be not only more work but also worse functionality. I'm
mainly thinking of how NAT keeps state in the routers, and that home
routers tend to drop the state after a while so that e.g. long-lived
TCP sessions tend to silently stop working.
Full ack.
That is the reason for unnecessary "keep-alive" packages many
applications send.
On Sun, 13 Feb 2022 14:02:44 -0800, jrg wrote:
On 2/13/22 01:59, Bit Twister wrote:
Frontier Fios here in Dallas Texas gives ipv4
$ wget -qO -http://icanhazip.com
47.183.233.188
att gives me
2600:1700:79b1:20c0:2f4:8dff:fea6:fc3b
no clue, just in passing.
All those colons instead of 4 dots, tells me your isp, ATT-SBCIS,
is giving out ipv6 addresses.
old and in the way
On 2/13/22 16:05, Bit Twister wrote:
On Sun, 13 Feb 2022 14:02:44 -0800, jrg wrote:
On 2/13/22 01:59, Bit Twister wrote:
Frontier Fios here in Dallas Texas gives ipv4
$ wget -qO -http://icanhazip.com
47.183.233.188
att gives me
2600:1700:79b1:20c0:2f4:8dff:fea6:fc3b
no clue, just in passing.
All those colons instead of 4 dots, tells me your isp, ATT-SBCIS,
is giving out ipv6 addresses.
Thanks, that much I figured but am surprised you don't get ip6 in
Dallas.
I had never seen icanhazip before, don't know why, haven't been
living under a rock...
Roger Blake <rogblake@iname.invalid> wrote:
On 2022-02-12, Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
Quoting the signature for a reason. I am not surprised.
End of discussion for me.
In other words you cannot support your position(s).
I don't want to. I have more important things to do than to argue with idiots.
NAT tends to be not only more work but also worse functionality.
I'm mainly thinking of how NAT keeps state in the routers, and
that home routers tend to drop the state after a while so that
e.g. long-lived TCP sessions tend to silently stop working.
Thankfully, in technologically advanced countries dual stack or dual
stack lite Internet Access is commodity and easily bought on the
market, even with competetive pricing.
You're fantasizing.
site-local is deprecated since years.
if they like to use a site-local-scope address range the should use
ULA and should randomize the bits from bit to to bit 48 to ensure
they have an unique prefix. If they then want to bring together 2
links with IPv6 ULA it works fine without changing one address.
That's /stateful/ NAT. There is also the older /stateless/ NAT that
does not have this problem.
There have been MANY technologies to more easily provide IPv6 access
than going dual-stack from end-to-end. Sadly, many ISPs aren't
utilizing them.
if they like to use a site-local-scope address range the should use
ULA and should randomize the bits from bit to to bit 48 to ensure
they have an unique prefix. If they then want to bring together 2
links with IPv6 ULA it works fine without changing one address.
That is contrary to the intention behind site-local / anycasted
addresses.
They scale very well if you have enough addresses available.
Why do we need a hierarchical system here? If we want addresses for local-only services we can use ULA. also more than enough addresses
available for all your needs.
That is what big companies and providers tells us. Everybody that
wants to use VoIP without any problems needs to be reachable from
the outside.
Then they can operate an SPI firewall. Windows has one enabled by
default, most home routers have one enabled.
If you have a good operating system, no server software runs on the
public addresses. Then there is also no problem at all without NAT
or an SPI fw.
Because of proxy servers and NAT companies like Facebook and Google
created other methods of tracking. They use User Agents, Cookies,
Browser storage to identify a user, they don't need an unique IP
address.
NAT first creates a flexibility and then you see how bad it is. Think
about DNS with servers that have private addresses and should have
a host name. You then need NAT hairpinning and other nasty stuff.
The main problem of that is that Windows has enabled server software
like NetBIOS over IP and SMB. This is the problem and NAT/SPI should
now solve the biggest security problem that MS was able to create? Personally, I don't care anymore about windows machines because they
are insecure by design.
Then do it if you like a really bad network infrastructure. What I
wanna is that I can switch off IPv4 at all at my side without having
problems to connect to other's servers.
I know and stateless NAT64
It is, but it makes sure that address conflicts are very seldom if you
need to interconnect such ULA prefixes from to sites.
On 2/15/22 12:08 PM, Marco Moock wrote:
I know and stateless NAT64
I was referring to stateless NAT44. E.g. prefix translation;
192.0.2.x/24 <=> 198.51.100.x/24
But in one simple step, NAT eliminates a whole major class of security
issues for client systems (including Linux and other OS's). It does
so in a way that is not only easy to get right, it is also hard to
get wrong.
And it is always a balance between keeping out the stuff you don't
want, while letting in the stuff you /do/ want with as little user inconvenience as possible. NAT plays an important part in the security
in a lot of systems because it provides a huge step at keeping out
unwanted stuff while being of very little inconvenience to most users.
On 2/13/22 5:51 AM, Marco Moock wrote:
Why do we need a hierarchical system here? If we want addresses
for local-only services we can use ULA. also more than enough
addresses available for all your needs.
Site-local vs link-local immediately comes to mind.
That is what big companies and providers tells us. Everybody that
wants to use VoIP without any problems needs to be reachable from
the outside.
I've used VoIP without any problem without globally routed addresses.
Then they can operate an SPI firewall. Windows has one enabled by
default, most home routers have one enabled.
I think that it's important to keep time & context in mind. Windows
has an SPI firewall enabled by default /now/. It did not 20 years
ago.
If you have a good operating system, no server software runs on the
public addresses. Then there is also no problem at all without NAT
or an SPI fw.
I will not bet my security on "good operating system" nor "no server
software runs on the public address" /alone/. Does "belt and
suspenders" or "layers of security" mean anything?
Also, trusting the IP address alone is insufficient. IPs used to be
far more dynamic than they are today. Thus you couldn't rely on them
for identification in the vast majority of situations.
NAT first creates a flexibility and then you see how bad it is.
Think about DNS with servers that have private addresses and should
have a host name. You then need NAT hairpinning and other nasty
stuff.
I guess setting up an internal zone to resolve the name to the LAN IP
is "other nasty stuff".
The main problem of that is that Windows has enabled server
software like NetBIOS over IP and SMB. This is the problem and
NAT/SPI should now solve the biggest security problem that MS was
able to create? Personally, I don't care anymore about windows
machines because they are insecure by design.
Then do it if you like a really bad network infrastructure. What I
wanna is that I can switch off IPv4 at all at my side without
having problems to connect to other's servers.
Currently (2022) you will have better connectivity with IPv4+IPv6
with NAT than you will with IPv6 only. Sadly, the Internet isn't
even close to parity between IPv4 and IPv6 from a service
availability standpoint.
I know it exists, but what is the purpose of that?
I have never seen that in productive networks yet.
I know, but the main problem already was and is still that Windows is
running server software by default.
True, both are there and there are use cases where they are useful
or not.
I also have that situation at home, but it is very annoying.
I know, but the main problem already was and is still that Windows
is running server software by default.
I know that, but I definitely don't rely on firewalling. I disable the
cause of the security issue and I don't try to make it less vulnerable
with a FW.
I also don't rely on them for auth, but i use them as an additional
criteria if possible.
Yes, that is what I mean because that often creates problems.
Forst, DNS uses caching and a computer that was outside my have the
public IP in its cache (TTL not expired yet) and will not ask the
name server again when coming to the internal net.
Then a computer doesn't need to use the specific DNS to resolve the
name. Maybe it is configured to use a specific DNS. Google Chrome
and Firefox offer DNS over HTTPS and maybe use that instead of the
DNS the computer gets via IPv6-RA/DHCP.
Full ack, it is really annoying that I still need to have IPv4
connectivity, especially when self-hosting my servers I need to access
from IPv4-only nets.
Other options of getting your Internet ip address.
On 2/15/22 09:36, Bit Twister wrote:
Other options of getting your Internet ip address.ifconfig is fine for me, thanks
On 2/13/22 5:58 AM, Marc Haber wrote:
You're fantasizing.
No I'm not.
I've worked on many servers that have (at least) the following per
interface:
- link-local
- old GUA
- current GUA
- new GUA
With at least three interfaces. 3 x 4 = 12
That all assumes a single IPv6 address per prefix. Many systems that
I've worked on have had multiple IPv6 addresses per prefix as part of
how they offer services:
- management IP
- web service VIP
- mail service VIP
On 2/13/22 6:05 AM, Marco Moock wrote:
site-local is deprecated since years.
Agreed.
Though I still think there are uses for it. E.g. the local SMTP relay
server at this site. Road warriors don't need to reconfigure anything
as they go office to office.
[...]
You could try to partition your network into a "guest" subnet and a
"home" subnet and place a stateful firewall in front of the guest
subnet, but very few consumer router/AP combos offer a user-friendly
way to make this separation. (Happy to be proven wrong on this point.)
Am Dienstag, 15. Februar 2022, um 12:15:00 Uhr schrieb Grant Taylor:
On 2/13/22 5:51 AM, Marco Moock wrote:
Then they can operate an SPI firewall. Windows has one enabled by
default, most home routers have one enabled.
I think that it's important to keep time & context in mind. Windows
has an SPI firewall enabled by default /now/. It did not 20 years
ago.
I know, but the main problem already was and is still that Windows is
running server software by default.
If you have a good operating system, no server software runs on the
public addresses. Then there is also no problem at all without NAT
or an SPI fw.
I will not bet my security on "good operating system" nor "no server
software runs on the public address" /alone/. Does "belt and
suspenders" or "layers of security" mean anything?
I know that, but I definitely don't rely on firewalling. I disable the
cause of the security issue and I don't try to make it less vulnerable
with a FW.
Also, trusting the IP address alone is insufficient. IPs used to be
far more dynamic than they are today. Thus you couldn't rely on them
for identification in the vast majority of situations.
I also don't rely on them for auth, but i use them as an additional
criteria if possible.
NAT first creates a flexibility and then you see how bad it is.
Think about DNS with servers that have private addresses and should
have a host name. You then need NAT hairpinning and other nasty
stuff.
I guess setting up an internal zone to resolve the name to the LAN IP
is "other nasty stuff".
Yes, that is what I mean because that often creates problems.
Forst, DNS uses caching and a computer that was outside my have the
public IP in its cache (TTL not expired yet) and will not ask the name
server again when coming to the internal net.
Then a computer doesn't need to use the specific DNS to resolve the
name. Maybe it is configured to use a specific DNS. Google Chrome and
Firefox offer DNS over HTTPS and maybe use that instead of the DNS the computer gets via IPv6-RA/DHCP.
The main problem of that is that Windows has enabled server
software like NetBIOS over IP and SMB. This is the problem and
NAT/SPI should now solve the biggest security problem that MS was
able to create? Personally, I don't care anymore about windows
machines because they are insecure by design.
Then do it if you like a really bad network infrastructure. What I
wanna is that I can switch off IPv4 at all at my side without
having problems to connect to other's servers.
Currently (2022) you will have better connectivity with IPv4+IPv6
with NAT than you will with IPv6 only. Sadly, the Internet isn't
even close to parity between IPv4 and IPv6 from a service
availability standpoint.
Full ack, it is really annoying that I still need to have IPv4
connectivity, especially when self-hosting my servers I need to access
from IPv4-only nets.
You could try to partition your network into a "guest" subnet and a
"home" subnet and place a stateful firewall in front of the guest
subnet, but very few consumer router/AP combos offer a user-friendly
way to make this separation. (Happy to be proven wrong on this point.)
On 2/15/22 1:18 PM, Marco Moock wrote:That I need a special application gateway (that does NAT in the
I also have that situation at home, but it is very annoying.
What /specifically/ is annoying?
What doesn't function at all?If I don't have such a special NAT "gateway" I wouldn't be able to be
What do you want to change?
I know, but the main problem already was and is still that Windows
is running server software by default.
I think that "by default" is the most operative part of that
statement.
It's entirely possible to configure Windows so that it's considerably
safer to have as a server. But it takes effort and is decidedly
against the default. One of the first things to do is to unbind
Client for Microsoft Networks and File & Printer Sharing from NICs.
Forst, DNS uses caching and a computer that was outside my have the
public IP in its cache (TTL not expired yet) and will not ask the
name server again when coming to the internal net.
Understood.
I'd be curious to know what client device is retaining local stub
resolver cache when changing networks and therefore likely changing
DNS server configuration.
Then a computer doesn't need to use the specific DNS to resolve the
name. Maybe it is configured to use a specific DNS. Google Chrome
and Firefox offer DNS over HTTPS and maybe use that instead of the
DNS the computer gets via IPv6-RA/DHCP.
Don't et me started on the over zealous use of DoH. There are MANY
aspects of enterprise networks which break when things naively assume
that an outside the enterprise DNS server can provide the same DNS
service.
Full ack, it is really annoying that I still need to have IPv4 connectivity, especially when self-hosting my servers I need to
access from IPv4-only nets.
Sadly, I think we're going to be in the current state for one to
three decades.
Am Mittwoch, 16. Februar 2022, um 01:53:31 Uhr schrieb meff:
You could try to partition your network into a "guest" subnet and a
"home" subnet and place a stateful firewall in front of the guest
subnet, but very few consumer router/AP combos offer a user-friendly
way to make this separation. (Happy to be proven wrong on this point.)
The main problem here is that most people don't care about their
network. Additionally, many ISPs only offer /64 prefixes and it is a
PITA to subnet them to 2 /65 because you then need DHCPv6 to address
your devices. The additional work isn't worth the goal here for most
people.
Last time I had a "whole home gateway" from the ISP, it'd give a
completely separate /64 to the "Guest WiFi" (if v6 was enabled on it).
On 15/02/2022 21:18, Marco Moock wrote:
Am Dienstag, 15. Februar 2022, um 12:15:00 Uhr schrieb Grant Taylor:
On 2/13/22 5:51 AM, Marco Moock wrote:
Then they can operate an SPI firewall. Windows has one enabled by
default, most home routers have one enabled.
I think that it's important to keep time & context in mind.
Windows has an SPI firewall enabled by default /now/. It did not
20 years ago.
I know, but the main problem already was and is still that Windows
is running server software by default.
Does it matter if all security problems are from Windows? Windows is
very common on desktops, laptops, and even servers. You don't have to
like it, but you have to deal with it.
In reality, all OS's have flaws, and many modern Linux distributions
have ports open in their default installation. Then come the users,
who might do any kind of misconfiguration or run software that has
bugs in it. Windows has more than its fair share of security issues, historically even more so, but only a fool thinks other systems are
"safe".
Does anyone other that /you/ use the networks you set up and run? Do
you have anything on the networks other than *nix machines that you
have personally configured and checked? What about phones? Printers
at the office? Apple TV and amart power meter on the home network?
Are you /sure/ that none of these have flaws?
Unless you are absolutely sure that you have full control over /all/
systems on a network, and their users, then you /do/ rely on
firewalling.
Yes, that is what I mean because that often creates problems.
Forst, DNS uses caching and a computer that was outside my have the
public IP in its cache (TTL not expired yet) and will not ask the
name server again when coming to the internal net.
Short TTL's work fine in such cases. I have never heard of this
being a problem in practice.
Computers should get their DNS via DHCP unless you have very specific
reasons for picking something different. Normal users don't get to
faff around with their DNS settings any more than they get to choose
their own IP address.
I like IPv4 - addresses are easier to remember than IPv6.
Am Mittwoch, 16. Februar 2022, um 16:48:45 Uhr schrieb Dan Purgert:
Last time I had a "whole home gateway" from the ISP, it'd give a
completely separate /64 to the "Guest WiFi" (if v6 was enabled on it).
That is the best practice, but sometimes not possible because the
customer only gets /64 at all.
Am Mittwoch, 16. Februar 2022, um 16:48:45 Uhr schrieb Dan Purgert:
Last time I had a "whole home gateway" from the ISP, it'd give a
completely separate /64 to the "Guest WiFi" (if v6 was enabled on it).
That is the best practice, but sometimes not possible because the
customer only gets /64 at all.
All those would also apply for IPv4, are thus not a liability of IPv6.
That's what sane networks have DNS for.
That being said, I like using the well-defined addresses for DNS
servers that sadly never made it into a formal standard.
Even the $50 TPLink stuff can do a guest WiFi network, such as the
Archer A7.
¹ there are no subnets in IPv6, but you get the idea
That I need a special application gateway (that does NAT in the
background) on my Cisco router to make SIP/RTSP work.
If I don't have such a special NAT "gateway" I wouldn't be able to
be called from others via IPV4.
Getting rid off NAT here to get rid off that gateway. With IPv6 I
don't need that and it is a much easier configuration. Easier for
me means more reliable because less things can get broken.
I assume systemd-resolved does, I already experienced that with
it. The reason for that is that DNS with global resolved domains is
intended to equal regardless which resolver ask. For the caches I
see no reason in clearing the cache if the network comes up/down.
Completely agree, but if you have just one computer that isn't
administered by the company you need to emanate that some users don't
use your local resolver.
Maybe yes, but there is hope over the horizon, some big tech companies implement IPv6 and I just wait until they say "we switch off IPv4
in one year" or "websites without IPv6 connectivity will be unlisted
from Google".
IPv4 doesn't /require/ the use of a link-local address. IPv6 does.
IPv4 would likely not have the old, current, and new IPv4 address all
at the same time.
Am Mittwoch, 16. Februar 2022, um 13:01:23 Uhr schrieb David Brown:
On 15/02/2022 21:18, Marco Moock wrote:
Am Dienstag, 15. Februar 2022, um 12:15:00 Uhr schrieb Grant Taylor:
On 2/13/22 5:51 AM, Marco Moock wrote:
Then they can operate an SPI firewall. Windows has one enabled by
default, most home routers have one enabled.
I think that it's important to keep time & context in mind.
Windows has an SPI firewall enabled by default /now/. It did not
20 years ago.
I know, but the main problem already was and is still that Windows
is running server software by default.
Does it matter if all security problems are from Windows? Windows is
very common on desktops, laptops, and even servers. You don't have to
like it, but you have to deal with it.
That's what I do.
I tell everybody running Windows about that and offer to configure
their system that way that these services are turned off.
In reality, all OS's have flaws, and many modern Linux distributions
have ports open in their default installation. Then come the users,
who might do any kind of misconfiguration or run software that has
bugs in it. Windows has more than its fair share of security issues,
historically even more so, but only a fool thinks other systems are
"safe".
I know, I mostly use Ubuntu and it has mDNS (Avahi) by default. That is
the first thing I uninstall, although it only affect the link-local
area.
Does anyone other that /you/ use the networks you set up and run? Do
you have anything on the networks other than *nix machines that you
have personally configured and checked? What about phones? Printers
at the office? Apple TV and amart power meter on the home network?
Are you /sure/ that none of these have flaws?
My family uses the home network. They are aware that IPv6 isn't
firewalled, IPv4 uses NAT so they are SPI-firewalled regardless if they
want it or not.
Unless you are absolutely sure that you have full control over /all/
systems on a network, and their users, then you /do/ rely on
firewalling.
I often check the computers with nmap. For me that is enough,
especially because finding IPv6 computers with EUI64 addresses outside
of the local link is a very slow process unless they connect to you.
Yes, that is what I mean because that often creates problems.
Forst, DNS uses caching and a computer that was outside my have the
public IP in its cache (TTL not expired yet) and will not ask the
name server again when coming to the internal net.
Short TTL's work fine in such cases. I have never heard of this
being a problem in practice.
I already experienced it. Short TTL's are creating more DNS traffic. I
see no reason for that if it is possible to avoid it.
Computers should get their DNS via DHCP unless you have very specific
reasons for picking something different. Normal users don't get to
faff around with their DNS settings any more than they get to choose
their own IP address.
I experienced that many users configure their own DNS because they
think it is "better" in any way. I also know locations (my school) that practises DNS spoofing. This causes people to implement DNSoTLS to go
around that restriction.
I like IPv4 - addresses are easier to remember than IPv6.
I know, but if you only need link-local connectivity you can give them specific link-local addresses. I do that with my router (fe80::1).
If you need routable addresses you can use ULA without randomizing bit
8 to bit 48, but only do that if you are 100% sure you will never
want to connect your link with anybody else's link.
Am Mittwoch, 16. Februar 2022, um 20:56:17 Uhr schrieb Marc Haber:
¹ there are no subnets in IPv6, but you get the idea
Why there are no subnets in Ipv6?
I can do subnetting just like with IPv4.
On 2/16/22 1:28 AM, Marc Haber wrote:
All those would also apply for IPv4, are thus not a liability of IPv6.
Not quite.
IPv4 doesn't /require/ the use of a link-local address. IPv6 does.
IPv4 would likely not have the old, current, and new IPv4 address all at
the same time.
On 2/16/22 8:24 AM, Marco Moock wrote:
That I need a special application gateway (that does NAT in the
background) on my Cisco router to make SIP/RTSP work.
If I don't have such a special NAT "gateway" I wouldn't be able to
be called from others via IPV4.
What's more responsible for that problem? SIP itself or NAT? There are
many other protocols that work through NAT perfectly fine without the
need for such shenanigans.
It's been a while, but I think that it is possible for SIP clients to
connect to a globally routed IPv4 address that is port forwarded / NATed
to an internal server without the need for the NAT gateway shenanigans.
But, maybe I'm mis-remembering things. Maybe it was configuration of
the SIP server saying "Report $THIS external IP."
I assume systemd-resolved does, I already experienced that with
it. The reason for that is that DNS with global resolved domains is
intended to equal regardless which resolver ask. For the caches I
see no reason in clearing the cache if the network comes up/down.
Bleck
I actively avoid systemd and it's ilk.
Completely agree, but if you have just one computer that isn't
administered by the company you need to emanate that some users don't
use your local resolver.
Maybe yes, but there is hope over the horizon, some big tech companies
implement IPv6 and I just wait until they say "we switch off IPv4
in one year" or "websites without IPv6 connectivity will be unlisted
from Google".
Ha! I don't think we'll see big services turning off IPv4 any time
soon. I doubt we will see it in the next decade, if not more like two >decades.
On 2/16/22 1:29 AM, Marc Haber wrote:
That's what sane networks have DNS for.
Not everything supports DNS.
That being said, I like using the well-defined addresses for DNS
servers that sadly never made it into a formal standard.
You mean something like the same site-local address for the local DNS
server? }:-)
On 2022-02-16, Dan Purgert <dan@djph.net> wrote:
Even the $50 TPLink stuff can do a guest WiFi network, such as the
Archer A7.
Sorry I'm specifically referring to IPv6 subnetting here.
It's probably time I looked more seriously at IPv6
SIP is a really horrible protocol. It should have been in an April
Fools RFC.
That is incredibly painful, especially if you want to _receive_ calls.
Maybe. Doesn't work with a dynmic IP address.
Why am I not surprised about that?
Yes. You're part of the party that makes sure it's going to happen
this way.
That does not mean that internal networks won't go single stack IPv6.
I don't mind having a handful of dual-stacked, internet-facing servers.
Subnetting is terminology from classful IPv4 addressing.
For example, 172.16.24.0/24 is a subnet of the class B network
172.16.0.0.
In classless IP networking, there are just networks.
The subnetting expression is unkillable just like the "Class C"
for a /24, even if it's 10.0.2.0/24. Thankfully, noone says supernet
any more.
And it can do v6 as well ... obviously your ISP would need to support
it.
It's probably time I looked more seriously at IPv6 - this thread and
posts like yours have inspired me there. (Thanks for that.) It sounds
that there are differences in the kind of network and users we deal
with, and that leads to different experiences and different solutions.
On 2/17/22 3:06 AM, Marc Haber wrote:
Subnetting is terminology from classful IPv4 addressing.
Chuckle.
For example, 172.16.24.0/24 is a subnet of the class B network
172.16.0.0.
Technically accurate. Though not many, including networking people, >understand, much less can explain, what you have just staed.
Whatever the reason, many people will tell you that 10.0.0.0/24 is the
subnet that their router uses by default.
The subnetting expression is unkillable just like the "Class C"
for a /24, even if it's 10.0.2.0/24. Thankfully, noone says supernet
any more.
I've taken to saying "Class C /Sized/" network.
There are only so many
windmills that I'm capable of tilting at. I tend to prefer to tilt at >windmills that I feel that I can change.
On 2022-02-17, David Brown <david.brown@hesbynett.no> wrote:
It's probably time I looked more seriously at IPv6 - this thread and
posts like yours have inspired me there. (Thanks for that.) It sounds
that there are differences in the kind of network and users we deal
with, and that leads to different experiences and different solutions.
I enjoyed sending [Hello IPv6](https://metebalci.com/blog/hello-ipv6/)
as a good introduction to some friends.
On 2/17/22 1:12 AM, David Brown wrote:
It's probably time I looked more seriously at IPv6
Yes. Many would say it's past time that you look more seriously at IPv6.
I was quite happy with the introduction / tutorial / training /
certification that Hurricane Electric offered years ago. Purportedly
they still offer the same.
Learn about it and start using IPv6.
Many people still learn that in school and are actually required to
reproduce that knowledge in exams. And then they begin working with
real networks and we have to make them forget.
Correct way to teach IP networks is to begin with IPv6, and then
gradully add IPv4 and explain the crutches that IPv4 needs to still
work. That way, people would not learn those crutches as being
essential part of the protocol like they do today.
Many people still learn that in school and are actually required to
reproduce that knowledge in exams. And then they begin working with
real networks and we have to make them forget.
Correct way to teach IP networks is to begin with IPv6, and then
gradully add IPv4 and explain the crutches that IPv4 needs to still
work. That way, people would not learn those crutches as being
essential part of the protocol like they do today.
But it still is the network on the internal interface of the router.
That sounds acceptable to me. I will still try to say "slash
vierundzwanzig".
Wise.
Also, if you have a /56 from your provider, you mostly need to
use /64 for your client nets, so you still do a process like subnetting/supernetting (for routing).
True, but there are too many people that say "IPv6 isn't needed",
"IPv6 isn't supported by all devices", "IPv4 is enough", "I don't
know about IPv6" and some more bullshit.
I can't point to anything that I want to do today that requires me to
use IPv6.
...
My ISP only provides IPv4, so it must be sufficient. Correct?
N.B. Despite what the IPv6 zealots want to believe, there is a LOT that
DHCP for IPv6 offers that can't be done dynamically with SLAAC et al.
DHCP provides a LOT of configuration information that end user systems
use, particularly in SMB or larger enterprise networks.
N.B. Despite what the IPv6 zealots want to believe, there is a LOT
that DHCP for IPv6 offers that can't be done dynamically with SLAAC
et al. DHCP provides a LOT of configuration information that end user
systems use, particularly in SMB or larger enterprise networks.
Also, if you have a /56 from your provider, you mostly need to use /64
for your client nets, so you still do a process like
subnetting/supernetting (for routing).
This is just choosing a different prefix for your network. There is no
magic in that.
On 2/18/22 12:26 AM, Marc Haber wrote:
Many people still learn that in school and are actually required to
reproduce that knowledge in exams. And then they begin working with
real networks and we have to make them forget.
I don't think that we need to make them forget.
DHCPv6 does perfectly coexist with SLAAC.
SLAAC provides basic connectivity, allowing management access. And then DHCPv6 comes in and statelessly provides additional operational data.
Classful thinking is harmful to today's networking, even in the IPv4
world. It is bad to examine people in a discipline that they will
never actively need. That is only relevant for historians.
All three of these require some very basic knowledge of what clasfull networking is.
1) There is a *HUGE* /difference/ in explaining what something is
verses advocating for it's use.
Point in case: Marc, you couldn't be as strong an advocate against
classfull networking if you weren't aware of it.
2) Most people need at least some understanding off why something is
bad in order to choose not to sue it. That is predicated on having a
minimal understanding of what said thing is.
3) If people have never been exposed to something, much less why it's
bad, there is a reasonable chance that some of them will either
re-invent (a variant of) it or discover it and take it up as a good idea.
Am Freitag, 18. Februar 2022, um 20:33:06 Uhr schrieb Marc Haber:
This is just choosing a different prefix for your network. There is no
magic in that.
But to do that correctly you need to be aware how subnetting works.
You need to understand what /<any number> means etc.
On 2/18/22 12:34 PM, Marc Haber wrote:
DHCPv6 does perfectly coexist with SLAAC.
Yes and no.
Yes they perfectly co-exist in a /64, presuming there aren't conflicts.
No, they don't mix well when something other than a /64 is used in >conjunction with DHCP.
SLAAC provides basic connectivity, allowing management access. And then
DHCPv6 comes in and statelessly provides additional operational data.
If we apply Occam's Razor (the simpler solution is usually better) and >Parsimony (we only need one solution) to the two possible solutions DHCP
or DHCP+SLAAC, we quickly see that SLAAC is not /strictly/ necessary.
Am Freitag, 18. Februar 2022, um 13:41:50 Uhr schrieb Grant Taylor:
All three of these require some very basic knowledge of what clasfull
networking is.
I agree.
Also it is helpful to know the history to know why the default mask in >Windows is depending on the IP address entered. I also only understood
that after knowing what classful IPv4 is.
What kind of Conflicts do you mean?
Using something other than a /64 is applying IPv4 practices to IPv6.
That's a decidedly bad idea.
SLAAC adds complexity. Stateless DHCPv6 removes more complexity than
SLAAC adds.
Using something other than a /64 is applying IPv4 practices to IPv6.
I want people to stop knowing about it.
I am not against telling people in the last hour of class "now that
you know how things work, I'm going to tell you how things started.
This is just a history lesson, don't ever try to implement this on
the Internet."
Using something other than a /64 is applying IPv4 practices to IPv6.
On 2/19/22 2:03 AM, Marc Haber wrote:
Using something other than a /64 is applying IPv4 practices to IPv6.
I've seen people use /128s out of a single /64 for (primary) loop-back >addresses on all their routers.
On 2/19/22 2:03 AM, Marc Haber wrote:
Using something other than a /64 is applying IPv4 practices to IPv6.
I have seen people use something other than /64 on networks as memory >protection against exploding a neighbor cache on a link with very few >systems. E.g. a mostly point to point link using a /120 ~ /124 or even
a /127. Particularly on non-point-to-point links that are used as >point-to-point links, e.g. Ethernet cross over cable.
On 2/19/22 2:03 AM, Marc Haber wrote:
What kind of Conflicts do you mean?
Different /64 prefixes. }:-)
Using something other than a /64 is applying IPv4 practices to IPv6.
And yet this very thread has talked about /56 or even /48 from
providers. Those aren't /64.
SLAAC adds complexity. Stateless DHCPv6 removes more complexity than
SLAAC adds.
So why is SLAAC actually /needed/ in a DHCPv6 environment?
So why is SLAAC actually /needed/ in a DHCPv6 environment?
The idea of having DHCPv6 without SLAAC is usually either born out of
IPv4 thinking or from Corporate "Security".
Am Sonntag, 20. Februar 2022, um 07:39:46 Uhr schrieb Marc Haber:
The idea of having DHCPv6 without SLAAC is usually either born out of
IPv4 thinking or from Corporate "Security".
Or if you like that a computer gets a "specific" address and not one
that it generates via privacy extensions (default in most OSes).
The idea of having DHCPv6 without SLAAC is usually either born out of
IPv4 thinking or from Corporate "Security".
On 2022-02-20, Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
The idea of having DHCPv6 without SLAAC is usually either born out of
IPv4 thinking or from Corporate "Security".
IPv4 thinking is the only thinking that counts as far as I am concerned.
No IPv6 here, not now, not ever.
So sorry, can't cure stupid.
IPv4 thinking is the only thinking that counts as far as I am concerned.
No IPv6 here, not now, not ever.
I remember when Microsoft started enabling IPv6 by default on server
OSs. It was possible to ignore it for a while. But then things started
to try to use it. As such, it required active management or active >disabling. That was 10-15 years ago.
Do you guys know that Microsoft stopped testing Windows in IPv4 only environments years ago?
Do you really want to run all those untested code paths?
If I remember correctly, on premises Exchange isnt even supported
any more in IPv4 only setups.
If I remember correctly, on premises Exchange isnt even supported any
more in IPv4 only setups.
Am Montag, 21. Februar 2022, um 18:41:32 Uhr schrieb Marc Haber:
If I remember correctly, on premises Exchange isnt even supported any
more in IPv4 only setups.
It definitely works without global IPv6 connectivity, but sometimes
uses link-local IPv6 to communicate with other Exchange servers.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 34:56:28 |
Calls: | 6,648 |
Calls today: | 3 |
Files: | 12,193 |
Messages: | 5,328,916 |