Language:

en_US

switch to room list switch to menu My folders
Go to page: First ... 8 9 10 11 [12] 13 14 15 16 ... Last
[#] Fri Sep 06 2019 16:55:03 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

When IPv6 is available on access networks, the provider will often use DHCPv6-PD (prefix delegation) to tell the access router what subnet to use on its "inside" network. The router can then do whatever it wants with that space -- it can offer DHCPv6 on its own, it can announce its presence to allow autoconfiguration to work (assuming, as is usually the case, that the inside network is a /64), etc.

NAT66 exists but, thankfully, it doesn't seem to be widely deployed.

As for static vs dynamic, I don't know whether the /64 assigned to a subscriber using DHCPv6-PD is static or dynamic. The transport address used on the outside of the router will not be static, but with NAT out of the picture, the transport address doesn't matter anymore. So it should be a simple matter of "router joins the network, head end identifies the subscriber, and routes their static /64 to that transport address" ... but who knows whether they are actually doing that. Hopefully they will understand that a home network that is constantly renumbering itself is a bad idea.

[#] Fri Sep 06 2019 17:07:16 UTC from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]

NAT66 exists but, thankfully, it doesn't seem to be widely deployed.


egad yes. I mean the whole point of v6 is to avoid NAT

[#] Sat Sep 07 2019 03:47:27 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

There are still people who want NAT66, because muh security by obscurity.
I wouldn't let these people anywhere near my network.

[#] Sat Sep 07 2019 12:32:06 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

Well, NAT66 is prety much the only way you can have ipv6 subnetworks if they don't delegate good prefixes for you... which really sucks... I mean, really...
It has occurd to me that many intercepting http proxies I am running depend on some form of friendly nat, so it is not as if all nat is bad. It is massive nat and nat as firewall what is ugly.

[#] Mon Sep 09 2019 05:16:58 UTC from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

 

Thu Sep 05 2019 09:35:44 EDT from IGnatius T Foobar @ Uncensored
Until the mid 1990's, having Internet at all meant having a globally unique, and usually static, IPv4 address. Back then, the end-to-end nature of IP was usable. Dynamic addressing and NAT ended that, which is one reason so many consumer products are tied to a hosted service if you want to be able to reach them remotely. IPv6 will fix that, but its adoption is long overdue.

From 1996 until 2000, this BBS was attached to the Internet on a dialup connection.
I paid my ISP for a static IP address and permission to keep the connection pinned up over an unmetered local call. It was crude, but it worked, and it saved the board from extinction when everyone moved over to the Internet.
In fact, it became more popular than before because it was multiuser and some old friends returned who had moved out of the area. Eventually I was able to secure a DSL connection with a static IP address and explicit permission to run servers, which served us well until 2007 when I moved it into a hosting center.

There's nothing about DNS that makes it a baked-in part of using the Internet.
It's really just based on a consensus that everyone's going to use the same root. Sidenets can -- and should -- use their own discovery and location protocols.

Well, even when my DNS was borked - the IP address was still working fine, of course. The problem is, my ISP gives dynamic IPs - and though they don't rotate often, they do rotate - which ties me to DNS and DDNS for now. If there is a better way, I'll be the first in line. ;) 

 

 



[#] Mon Sep 09 2019 14:48:53 UTC from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]

2019-09-06 23:47 from IGnatius T Foobar
There are still people who want NAT66, because muh security by
obscurity.
I wouldn't let these people anywhere near my network.

That is correct. Stateful packet filters handle this problem in an equally secure way without requiring NAT

[#] Mon Sep 16 2019 10:23:52 UTC from fleeb

[Reply] [ReplyQuoted] [Headers] [Print]


Gah. NAT-over-IP6 just... no...

There are *so* many IP addresses in IPv6. And certain people don't seem to understand this. A certain university hired us to perform penetration testing against their network environment. They wanted both IPv4 and IPv6.
They didn't understand why we didn't offer IPv6 port scanning. They didn't understand that there isn't enough time in the world to scan *all* *those* *ip* *addresses* for open ports, even for their 'small' network.

And if we can't really do it, an attacker can't, either.

I'm intrigued, though, at what new vulnerabilities folks will find in IPv6, for all the trouble taken to secure it.

[#] Mon Sep 16 2019 14:10:55 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

The #1 vulnerability in IPv6 right now is quite simple: someone didn't know IPv6 was activated, and because of that, many things are wide open for access.
The very thing that makes IPv6 awesome, which is the end of using NAT, is also the thing that makes it tricky to secure, because there's no default position of something being inaccessible from the Internet because you didn't do a NAT mapping. It's always available unless you stick an ACL in front of it.

[#] Mon Sep 16 2019 14:35:10 UTC from fleeb

[Reply] [ReplyQuoted] [Headers] [Print]


Yeah, I have some awareness of that side of it, although I'd like to understand it better.

I wanted to have IPv6 at home for a while, for this very reason. But, y'know, Comcast sucks. They provide it, but clumsily.

[#] Mon Sep 23 2019 18:37:20 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

The key word is "DHCPv6-PD". If your ISP and your router both support this mode of operation, your client devices will have globally routable IPv6 addresses assigned to them. Now, the router will probably block incoming IPv6 connections by default, like all firewalls should, but opening something up will only involve a firewall rule, instead of also having to map a port.

[#] Mon Sep 23 2019 21:23:36 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

That is the problem, many providers don't know what PD means in DHCPv6-PD. Most ISP salesmen just know the basics to sell ISP plans to grandma, you will be lucky to find one who knows who in the firm knows what ipv6 is, and if they find it for you, they will tell you "yeah, prefix delegation in your segment does not work."

[#] Mon Oct 07 2019 13:49:54 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

The salesman doesn't need to know what it is. I'm pretty sure all the big ISPs are doing PD if they do IPv6 at all, and the consumer grade routers all seem to know how to handle it.

[#] Mon Oct 07 2019 21:01:43 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2019-10-07 09:49 from IGnatius T Foobar
The salesman doesn't need to know what it is. I'm pretty sure all the

big ISPs are doing PD if they do IPv6 at all, and the consumer grade

routers all seem to know how to handle it.



Maybe it is so over there.

Over here you get a lame DS-lite (if you get something) and a single prefix for a single LAN network assigned. I talked to a tech and he told me the networking gear and the routers they were giving to customers support prefix delegation but they are just not setting it up.

[#] Tue Oct 08 2019 12:58:48 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Isn't DS-Lite a NAT464 solution? That's what I get on my mobile when it's not connected to wifi.

[#] Wed Oct 09 2019 16:26:40 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

DS-Lite is when they connect you through an ipv6 only network and give ipv4 to you via tunnel. So you get full ipv6 and lame ipv4. In theory.

[#] Wed Oct 09 2019 20:00:02 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Right, so that's what NAT464 is. IPv4 is translated to IPv6 and then back to IPv4 at the carrier's edge network. It works fine on access networks; you just wouldn't want to try running any servers on it. I'm perfectly fine having it on my mobile, but I'd find it annoying if my home router didn't have a native public IPv4.

I still believe there's going to be a tipping point where IPv6 suddenly goes gangbusters and everyone begins a rush to make everything work on it natively.
But, it's hard to determine when that'll happen. It could happen next year or it could take another 10 years. The problem is that IPv4 is still "working just fine" from the perspective of most people.

[#] Thu Mar 26 2020 21:57:49 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Meanwhile ... some dude in Asia suddenly realized he was sitting on an unused /8 and is giving it back to APNIC.

Geez.

[#] Fri Mar 27 2020 15:10:17 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

Really? Hahahaha, gotta love the Internet and its management.

I have heard there are many Autonomous ZOns assigned to defunct entities and there is no good way of recovering them, or at least no ongoing effort.

[#] Mon Mar 30 2020 13:59:20 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Autonomous System Numbers (ASNs)? Probably quite a lot of them, I would imagine.
Now that pretty much everything supports 32-bit ASNs it isn't quite as big a deal; we won't run out of them but they still should be recovered.

The same thing should hold true for IPv4 addresses, actually. If you don't actually announce them into the global table you don't get to keep them.

[#] Thu Apr 02 2020 15:15:49 UTC from Ragnar Danneskjold

[Reply] [ReplyQuoted] [Headers] [Print]

Cloudflare's 1.1.1.1 DNS is now offering parental DNS and malware protection.
A quick and dirty hack, but smart.

https://www.bleepingcomputer.com/news/security/cloudflare-launches-a-dns-based-parental-control-service/

Go to page: First ... 8 9 10 11 [12] 13 14 15 16 ... Last