When IPv6 is available on access networks, the provider will often use DHCPv6-PD
(prefix delegation) to tell the access router what subnet to use on its "inside"
network. The router can then do whatever it wants with that space -- it can
offer DHCPv6 on its own, it can announce its presence to allow autoconfiguration
to work (assuming, as is usually the case, that the inside network is a /64),
etc.
NAT66 exists but, thankfully, it doesn't seem to be widely deployed.
As for static vs dynamic, I don't know whether the /64 assigned to a subscriber using DHCPv6-PD is static or dynamic. The transport address used on the outside of the router will not be static, but with NAT out of the picture, the transport address doesn't matter anymore. So it should be a simple matter of "router joins the network, head end identifies the subscriber, and routes their static /64 to that transport address" ... but who knows whether they are actually doing that. Hopefully they will understand that a home network that is constantly renumbering itself is a bad idea.
NAT66 exists but, thankfully, it doesn't seem to be widely deployed.
As for static vs dynamic, I don't know whether the /64 assigned to a subscriber using DHCPv6-PD is static or dynamic. The transport address used on the outside of the router will not be static, but with NAT out of the picture, the transport address doesn't matter anymore. So it should be a simple matter of "router joins the network, head end identifies the subscriber, and routes their static /64 to that transport address" ... but who knows whether they are actually doing that. Hopefully they will understand that a home network that is constantly renumbering itself is a bad idea.
NAT66 exists but, thankfully, it doesn't seem to be widely deployed.
egad yes. I mean the whole point of v6 is to avoid NAT
There are still people who want NAT66, because muh security by obscurity.
I wouldn't let these people anywhere near my network.
I wouldn't let these people anywhere near my network.
Well, NAT66 is prety much the only way you can have ipv6 subnetworks if they
don't delegate good prefixes for you... which really sucks... I mean, really...
It has occurd to me that many intercepting http proxies I am running depend on some form of friendly nat, so it is not as if all nat is bad. It is massive nat and nat as firewall what is ugly.
It has occurd to me that many intercepting http proxies I am running depend on some form of friendly nat, so it is not as if all nat is bad. It is massive nat and nat as firewall what is ugly.
Thu Sep 05 2019 09:35:44 EDT from IGnatius T Foobar @ UncensoredUntil the mid 1990's, having Internet at all meant having a globally unique, and usually static, IPv4 address. Back then, the end-to-end nature of IP was usable. Dynamic addressing and NAT ended that, which is one reason so many consumer products are tied to a hosted service if you want to be able to reach them remotely. IPv6 will fix that, but its adoption is long overdue.
From 1996 until 2000, this BBS was attached to the Internet on a dialup connection.
I paid my ISP for a static IP address and permission to keep the connection pinned up over an unmetered local call. It was crude, but it worked, and it saved the board from extinction when everyone moved over to the Internet.
In fact, it became more popular than before because it was multiuser and some old friends returned who had moved out of the area. Eventually I was able to secure a DSL connection with a static IP address and explicit permission to run servers, which served us well until 2007 when I moved it into a hosting center.
There's nothing about DNS that makes it a baked-in part of using the Internet.
It's really just based on a consensus that everyone's going to use the same root. Sidenets can -- and should -- use their own discovery and location protocols.
Well, even when my DNS was borked - the IP address was still working fine, of course. The problem is, my ISP gives dynamic IPs - and though they don't rotate often, they do rotate - which ties me to DNS and DDNS for now. If there is a better way, I'll be the first in line. ;)
2019-09-06 23:47 from IGnatius T Foobar
There are still people who want NAT66, because muh security by
obscurity.
I wouldn't let these people anywhere near my network.
That is correct. Stateful packet filters handle this problem in an equally secure way without requiring NAT
Gah. NAT-over-IP6 just... no...
There are *so* many IP addresses in IPv6. And certain people don't seem to understand this. A certain university hired us to perform penetration testing against their network environment. They wanted both IPv4 and IPv6.
They didn't understand why we didn't offer IPv6 port scanning. They didn't understand that there isn't enough time in the world to scan *all* *those* *ip* *addresses* for open ports, even for their 'small' network.
And if we can't really do it, an attacker can't, either.
I'm intrigued, though, at what new vulnerabilities folks will find in IPv6, for all the trouble taken to secure it.
The #1 vulnerability in IPv6 right now is quite simple: someone didn't know
IPv6 was activated, and because of that, many things are wide open for access.
The very thing that makes IPv6 awesome, which is the end of using NAT, is also the thing that makes it tricky to secure, because there's no default position of something being inaccessible from the Internet because you didn't do a NAT mapping. It's always available unless you stick an ACL in front of it.
The very thing that makes IPv6 awesome, which is the end of using NAT, is also the thing that makes it tricky to secure, because there's no default position of something being inaccessible from the Internet because you didn't do a NAT mapping. It's always available unless you stick an ACL in front of it.
Yeah, I have some awareness of that side of it, although I'd like to understand it better.
I wanted to have IPv6 at home for a while, for this very reason. But, y'know, Comcast sucks. They provide it, but clumsily.
The key word is "DHCPv6-PD". If your ISP and your router both support this
mode of operation, your client devices will have globally routable IPv6 addresses
assigned to them. Now, the router will probably block incoming IPv6 connections
by default, like all firewalls should, but opening something up will only
involve a firewall rule, instead of also having to map a port.
That is the problem, many providers don't know what PD means in DHCPv6-PD.
Most ISP salesmen just know the basics to sell ISP plans to grandma, you will
be lucky to find one who knows who in the firm knows what ipv6 is, and if
they find it for you, they will tell you "yeah, prefix delegation in your
segment does not work."
The salesman doesn't need to know what it is. I'm pretty sure all the big
ISPs are doing PD if they do IPv6 at all, and the consumer grade routers all
seem to know how to handle it.
2019-10-07 09:49 from IGnatius T Foobar
The salesman doesn't need to know what it is. I'm pretty sure all the
big ISPs are doing PD if they do IPv6 at all, and the consumer grade
routers all seem to know how to handle it.
Maybe it is so over there.
Over here you get a lame DS-lite (if you get something) and a single prefix for a single LAN network assigned. I talked to a tech and he told me the networking gear and the routers they were giving to customers support prefix delegation but they are just not setting it up.
DS-Lite is when they connect you through an ipv6 only network and give ipv4
to you via tunnel. So you get full ipv6 and lame ipv4. In theory.
Right, so that's what NAT464 is. IPv4 is translated to IPv6 and then back
to IPv4 at the carrier's edge network. It works fine on access networks;
you just wouldn't want to try running any servers on it. I'm perfectly fine
having it on my mobile, but I'd find it annoying if my home router didn't
have a native public IPv4.
I still believe there's going to be a tipping point where IPv6 suddenly goes gangbusters and everyone begins a rush to make everything work on it natively.
But, it's hard to determine when that'll happen. It could happen next year or it could take another 10 years. The problem is that IPv4 is still "working just fine" from the perspective of most people.
I still believe there's going to be a tipping point where IPv6 suddenly goes gangbusters and everyone begins a rush to make everything work on it natively.
But, it's hard to determine when that'll happen. It could happen next year or it could take another 10 years. The problem is that IPv4 is still "working just fine" from the perspective of most people.
Meanwhile ... some dude in Asia suddenly realized he was sitting on an unused
/8 and is giving it back to APNIC.
Geez.
Geez.
Really? Hahahaha, gotta love the Internet and its management.
I have heard there are many Autonomous ZOns assigned to defunct entities and there is no good way of recovering them, or at least no ongoing effort.
I have heard there are many Autonomous ZOns assigned to defunct entities and there is no good way of recovering them, or at least no ongoing effort.
Autonomous System Numbers (ASNs)? Probably quite a lot of them, I would imagine.
Now that pretty much everything supports 32-bit ASNs it isn't quite as big a deal; we won't run out of them but they still should be recovered.
The same thing should hold true for IPv4 addresses, actually. If you don't actually announce them into the global table you don't get to keep them.
Now that pretty much everything supports 32-bit ASNs it isn't quite as big a deal; we won't run out of them but they still should be recovered.
The same thing should hold true for IPv4 addresses, actually. If you don't actually announce them into the global table you don't get to keep them.