Slashdot Mirror
Major Sites To Join ‘World IPv6 Day’
netbuzz writes "Facebook, Google, and Yahoo are among the major sites on board with what the Internet Society is dubbing 'World IPv6 Day,' a collective trial scheduled for June 8. 'It's an exciting opportunity to take IPv6 for a test flight and try it on for a full 24 hours,' says Leslie Daigle, the Internet Society's Chief Internet Technology Officer. 'Hopefully, we will see positive results from this trial so we will see more IPv6 sooner rather than later.'"
From TFA, it appears that they are supporting IPv6 in dual-stack mode. Most users without IPv6 connectivity should still be able to access their sites on June 8th.
Why have one day? Then when something goes wrong or an unexpected circumstance appears it'll be the fault of IPV6? Seriously people this doesn't need to be a big deal. It can be rolled out over time and quietly fade out V4. I hope all goes well but I'm not a big fan of this idea.
$action = empty(PHP) ? backToC() : unset(PHP) ; "when the concrete cases are understood, the abstractions are readily
A site seems to be missing from the participants, but I just can't put my finger on it /.
www.eFax.com are spammers
I dont understand why they wouldnt just make this change permanent. If this is the protocol we're going to, make it stick. One day is just toying with us.
This is not the penguin you're looking for.
That's because the average slashdot user isn't savvy enough for this, whereas your average facebook user is... i mean, these people run their own FARMS, for chrissakes!
soylentnews.org Go there to enjoy the people!
So, why not schedule it sooner rather than later? June 8th is still nearly five months away!
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Isn't it about time News for Nerds got a 128bit address? You know it makes sense!
Resistance is futile. Reactance buggers it up.
You could damn near have an IP address for every cell in your body.
Remember to maintain your supply of
I imagine most home users don't have IPv6 addresses. Ideally, everyone would slowly start to switch over to IPv6, with sites having both v4 and v6 addresses serving the same content, and users that are connected with a v6 address getting addresses from a DNS that supports v6 would connect using v6. But where I live, I don't get an IPv6 address with Fios. I imagine the big ISPs don't give residential users v6 addresses nationally and globally.
When does this happen in the movie?
Having an "IPV6" day is not such a big deal for these sites as they have already more or less prepared themselves for IPV6 already. The challenge is getting ISPs and OEMs ready to supply IPV6 links and IPV6 equipment. I think that making a big deal of "IPV6 day" will push these companies into getting their asses into gear to offer IPV6, if consumers and businesses can keep pushing them "We need IPV6, are your links going to be ready for IPV6 day?" and "We need IPV6, are your firmware updates going to be ready for IPV6 day?" even if this is only a marketing campaign.
What is important here is that we give ISPs and OEMs a deadline because at the moment the precise date for NEEDING IPV6 is up in the air and they are reluctant to do anything until a deadline is put in place (or even to START until the customers are complaining- when it is too late)
The operator of one of the biggest German web sites, the Heise publishing house, held its own IPv6 day on the 16th of September 2010. Their domains got AAAA records in addition to the IPv4 A records and the web servers responded to IPv4 and IPv6. Long story short: The test produced much fewer problems than expected and two weeks after the test, Heise.de enabled IPv6 permanently. The story is here (in German).
... it's because IPv6 uses UTF-8 encoded addresses.
You mean the one that has no Unicode support?
So you're admitting there are not enough addresses for every cell in every person's body. Didn't anybody think about the future?
Yes, and the one that is broken in some different way on every browser.
And I'll STILL NAT everything in my house. I dont need NX10^23 script kiddies attacking every one of my appliances.
Do not look at laser with remaining good eye.
Dieting is a matter of national security!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
And I'll STILL NAT everything in my house. I dont need NX10^23 script kiddies attacking every one of my appliances.
NAT != Stateful Firewall, why not install a firewall and you can use these Public IPv6 addresses with security?
They also have 6RD.
All you need to do is turn it on. And if you have certain base stations, it is on by default.
http://comcast6.net/
http://lkml.org/lkml/2005/8/20/95
While you're locking down your home network with the rock solid security system that is NAT, I'd like to offer you a chance to put the same level of security on your home. For a limited time only, I'm offering, direct to the consumer, the latest and greatest in home security, a little invention I like to call "curtains". Yes, now people won't be able to see into your home anymore, which obviously makes it impossible for them to rob you. Act fast though, these babies will sell out quickly.
Amputations are a matter of national security!
And I'll STILL NAT everything in my house. I dont need NX10^23 script kiddies attacking every one of my appliances.
I won't, since I don't think anyone is going to port scan me.
Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?
Also, a firewall is simpler than a NAT, and doesn't have the disadvantages of NAT, so you can just do that instead.
Because not everything behind a router needs a public address?
Because not everything behind a router needs a public address?
Um, why? Here's a resource that is inherently by design non-scarce, but you prefer to act as if it were? The "hair shirt" brigade might approve but the rest of us kinda laugh.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Can any of you give me a brand of WiFi N router that can do ipv6? I guess there aren't that many. Why manufacturers aren't FORCED by law to do it? That would be simple: pass the law, declare all new ipv4 only equipment illegal, end of the story. Then, next step, do the same with all ISPs. Within 1 year, this could be done. The only issues is that law makers don't understand technology...
... down the road ... they better hurry up, not long until the first RIRs might run out of v4 addresses ...
I guess it's time that porn and p2p sites switched over to v6 only, that should put some pressure on hardware manufacturers and ISPs to finally deliver v6 ...
They are working on IP V Mitosis.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Here's a hint: "No NAT" doesn't mean "no firewall".
Not only that, but you could give about 7 IPs to every atom in the body of every human alive on Earth! Taking the number of stars in the observable Universe, each star could get about a quadrillion IP addresses. So yeah, there's plenty of IPs for your toaster :)
whether is has a public or private address is nothing to do with scarcity of IP but need and suitability and there a lot of IP device's that do not need a public address, my printer for starters, don't need to manage it from the outside, don't need to print to if from outside. Plain old private IP4 seems to work fine and dandy.
Two days earlier and it would have been June 6, or 6/6. Rolling out IPv6 on 6/6 would have been biblically ordained to take over the heavens and the earth. Now it's just... another day, another test.
Why not?? In the *real world* everything has a public address. I know people don't "get it" when it comes to networking, but this is just FUD and is getting ridiculous.
NAT is like having a chaperone, where all communication happens through a 3rd party. It increases network traffic, it makes peer-to-peer internet impossible. And it is not security. You only need to trick inside device to connect to outside device, and there goes NAT as security! And that is quite easy.
Firewall is like having a security guard monitoring traffic. A firewall is actually designed to handle security, not illusion of security. This can actually catch and prevent unsanctioned communication. And if you want to use Skype, you can actually allow inbound connections.
Skype went down because of NAT. If the internet was IPv6, there would be no need for "supernodes". People could actually communicate, peer-to-peer instead of through their chaperones.
Finally, when I was young and stupid, I believed that NAT was a cool thing. When I asked a network admin at local university why they don't do more NAT and all departments gets /24 or larger, the answer was quite simple. Security. I didn't understand that answer for a few years, but now years later, it is as plain as night and day. NAT creates more problems than it's worth. And if someone brought some shitty SPAM relay (virus), it becomes a challenge just trying to identify where the rogue program is communication from.
Traceability and accountability and transparency and security is what public internet brings. NAT gives you an illusion of anonymity and security.
I thought that muscles swell while fat cells increase in numbers.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?
That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?
OK. 5000 £1 coins, spread randomly over a suitable area. But what is a suitable area?
£1 coins have area 4*pi*11.25*11.25 mm^2. Multiply by 0xFFFF,FFFF,FFFF,FFFF to get about 10^16 m^2.
Ringworld will do nicely.
Because not everything behind a router needs a public address?
Um, why?
'cause I don't want my NAS box to have one.
There's no legit reason for any machine outside my house to access it. Ever.
It's part of that layered approach to securing thing.
Yes, there is a firewall
Yes, there is a password
And, yes, the device's address is not publicly routable.
Paranoid? maybe, but so what.
It's my stuff, and I don't want you to be able to look at it. End of story.
---
"I can't complain, but sometimes still do..." Joe Walsh
A site seems to be missing from the participants, but I just can't put my finger on it /.
What? /. is not owned by facebook?
Life is generally easier if you have a unified addressing scheme on your network.
Having a public IP address does not mean that you have to allow public access to that IP address. A simple ACL on your router is sufficient to restrict that.
...or you can just use site (or even link) local addresses.
whether is has a public or private address is nothing to do with scarcity of IP but need and suitability and there a lot of IP device's that do not need a public address, my printer for starters, don't need to manage it from the outside, don't need to print to if from outside. Plain old private IP4 seems to work fine and dandy.
But using a separate address space makes your work WAY more complicated and less reliable.
All public scenario: Your stateful firewall prevents incoming traffic to your printer, just like it prevents incoming connections to anything else that you haven't specifically allowed. One address range everything reaches everything. Everything on one happy layer 2 LAN. Simple dynamic (re-)addressing.
Public plus private scenario: You still need a configured stateful firewall for all your other devices but now you have the joy of adding a statically configured LAN. How do the two networks reach each other? Route thru your slow firewall? Or multiple static and dynamic addresses on every device in your LAN? The time you spend complicating the heck out of your LAN, is time you're not spending securing it at the network and device layers.
So, sure, if you really want, you can spend a lot more time, money and effort to get a LAN that is much harder to design, configure, troubleshoot and monitor, all while being less secure, but you would be "saving" one of the 3 x 10 ^ 38 addresses, except you actually aren't because they assigned you a /64 for your LAN so its not like anyone else could use that address anyway.
IPv6 doesn't outright prevent you from shooting yourself in the foot, but its still kinda usable.
Plus if your LAN is a corporate LAN you've now gained the nightmare of merging multiple LANs using the same private addresses. Even if FC00::/8 is mostly empty, you know most clowns are going to use network=0 / host=1 for their firewall and watch the chaos when they interconnect.
There seems to be no advantage to private ipv6 space...
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Good point! The numbers are astronomically large with IPV6. Does this "security through obscurity" improve your risk profile? I discussed the challenges of testing networks this large: www.redspin.com/blog/
I'm sorry, I'm confused, you are complaining about security through obscurity, and that is your argument in *favor* of nat? /boggled
a handful of selfish greedy people are no match for millions of selfish, greedy people -u4ya
Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?
That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?
Hmm, lets run the math here. If you insist on not installing a stateful firewall (why? Its already a part of your old ipv4 nat box) then they have to find a random-ish 32 digit hexadecimal number, in order to find an address to break into, then break in, which is hopefully non-trivial, and then hopefully steal your random-ish 16 digit decimal credit card number. However, if the bad guy has the resources to randomly find a needle in a haystack inside a 32 digit number, why waste the time? Why not randomly farm the 16 digit number directly and skip all that "breaking into" junk and searching about and installing keyloggers?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
misconfigured NAT: NO traffic gets through
misconfigured ACLs: ALL traffic gets through
which is a better solution for grandma?
Since when is yahoo a "big site"?
According to Alexa, Yahoo is 4th behind Google, Facebook, and YouTube.
Paranoid? maybe, but so what.
I wouldn't say paranoid so much as wasted effort compared to other things having a much higher rate of return. You can configure a LAN using private space at huge time and effort both in set up and long term maintenance. Grats, you did it. However that time would far better be spent on securing your internal clients which do have access to the NAS, patching your NAS, patching your firewall, etc.
That particular layer is very expensive yet likely to be spectacularly ineffective. If everything worse has already been done, then it makes sense to waste time and money on that plan.
It would be like hurricane proofing my server, despite the nearest coast being over 1000 miles away...
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Then don't give it a global ipv6 address, only give it a link- or site-local addresses.
If I had a hundred thousand acres of land where I kept my 10 cattle, I'd prefer to have just one gate into the property instead of one every mile or so. It'd be harder for people to steal my cows that way, and I could more easily maintain the gate.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
One!...carrier lost...
Being overweight does not increase the number of cells in your body: the existing fat cells just swell.
Citation please.
I don't have a citation handy, but the general definition of obese is when your fat cells start increasing in number after they have expanded, hence why people that are obese rarely get back down to their lower weight, and when they do it tends to be very hard for them to maintain that weight, as it requires the fat cells to be smaller than before becoming obese. This is an over simplification of course, but you get the idea. Fat cells mostly just grow and shrink, but at some point, they start to divide, and at that point weight loss becomes harder.
Work bio at MMWD
There's really no excuse these days for a device not to be secure out of the box - i.e. you should be able to plug it straight into an unfirewalled network without problems. Security issues have been known about for years - even Microsoft's got on the ball now. I had a Vista box with a public IP and no separate firewall for months, and there were no problems.
Do you SEE a like button around here?!
Actually, Slashdot's moderation system on Facebook could be pretty interesting.
I call it 'The Aristocrats'
If you don't want any host outside your house to communicate with your NAS box, then giving at a private address behind a NAT is the wrong thing to do. Every private address behind a NAT gateway is routable to exterior domains. If you assign a globally routable address to your NAS box, even a private one from RFC 1918, then you need a firewall to prevent it from communicating with hosts in exterior domains. (No, your cheap commodity NAT gateway is not a firewall.)
With IPv6, you can assign your NAS box a non-routable address because you don't need a NAT gateway as your home router.
jhw
What makes you think the firewall for grandmother won't come pre-configured with exactly the same unidirectional, stateful firewall provided by NAT boxes? Why do you think she'd have to setup ACLs?
Also, how badly do you have to muck up your ACL to get the "all traffic gets through" configuration? Is "deny by default" the status quo for any firewall?
On top of that, we have an excellent way to keep your teen-age daughter from running up the home phone bill with 900 services: an unlisted number! She won't be able to make trouble if she can only make outgoing calls.
jhw
The effect is perminant, too - people who are obese as children still have the inflated fat cell numbers when adults. Maybe intensive liposuction would help.
Um, why?
Because not every device needs a public IP address on a private network and public devices on the internet are not entitled to see any of my IP addresses from my devices, no matter how firewalled they are.
In addition, I don't want to have to piggy-back on to an ISP for an available public IP address when I can easily serve that with an internal network device I know will at least work most of the time. No one is thinking through the practical considerations and the network issues we have today.
But do you offer them in the same color as the upholstery?
Solid point, for most people addresses on the network shouldn't be publicly accessible unless you choose to make them so. And if you're having to manually add access to new devices, what's the difference between a publicly routable, but blocked, address and one that isn't a public address.
Security though obscurity is no security at all.
For every website or service you encounter on the internet you have to provide an address to which replies can be sent.
Who needs to port scan ?
Port scanning is not even as difficult as was first believed : http://www.youtube.com/watch?v=c7hq2q4jQYw
Address randomisation does not even begin to solve the problem, in fact it makes it worse. How can my firewall be expected to know the difference between an address generated by my network printer that should not be seen from outside my network and one from a pc that should ?
So now even my network printer (toaster, fridge, whatever) needs a built in firewall with guaranteed bug fixes.
When was the last time you saw a printer or other device manufacturer fixing such security flaws in a timely manner ?
And this is progress ????
Auto configuration is a nightmare. I want to be alerted to the addition of any kit to my network and be given the choice to allow or disallow access to my resources before whatever it is starts to use the limited data allocation that is my internet connection, starts to print a copy of wikipedia or otherwise use resources that cost me time or money.
Before anyone chimes in with "Security Enhanced Neighbour Discovery" - find me a howto that shows the proper configuration of "SEND" that creates a secure network of Windows and Linux machines..... Go on... I'm not holding my breath......
While you're locking down your home network with the rock solid security system that is NAT, I'd like to offer you a chance to put the same level of security on your home.
Unfortunately your little joke falls over because NAT is only one part of this thing called a firewall - i.e. houses have these things called doors and windows that can be locked. However, shock, horror, even though people are quite comfortable with their locks they still don't want anyone being able to look inside. That's why most people have curtains, or blinds, and they don't leave their house unlocked because they have them. Funny that.
Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?
In theory, yes. In practice IPv6 addresses aren't quite that randomly distributed and often follow common patterns (DHCP handing out addresses sequentially, etc.). There was a talk about the issue at 27C3. Conclusion basically that you can find 90-95% of the servers with just a bit brute force search. This might of course change in the future when IPv6 gets more used in practice and security issues will be handled more seriously.
How many people have a house with curtains and blinds but no doors or windows? That's what your NAT gets you.
While it's certainly *possible* to brute-force 64 bits of network address space, I'd imagine such people have better things to do with 18 trillion packets than go looking for grandma.
At my workplace we've been doing some limited trials of providing IPv6 connectivity to internal systems (we don't have much in the way of outward facing stuff).
IMHO, and I would love to be corrected on this, but as far as I can see, there are some big problems to overcome with corporate deployments (not so much with home connections). Note that I am in no way advocating sticking with IPv4, this is just from my experiences so far:
It starts with the fact that your internal IP addresses will be determined by what your ISP gives you. What if you change ISPs? This means renumbering everything. Changing ISPs didn't used to mean that. What's the solution - use address autoconfiguration everywhere? That's not going to scale up very well. Think about DNS. Dynamic DNS updates? Over potentially thousands of hosts? And keeping all that secure? Sounds like a disaster waiting to happen.
OK, so if you're running a network that big, you probably want to get some provider-independent address space, then you keep the same address scheme and advertise your addresses out to your ISP. That way your addresses always stay the same no matter which ISP you use and you also have the option to multi-home. All well and good, but acquiring PI addresses still requires you to become a member of your local RIR; it's quite a paperwork-intensive process. With IPv4 this is acceptable as it's mostly only large enterprises and ISPs that need PI space and the number of RIR members remains low. With IPv6, medium and small companies will also have an urgent requirement for PI space. The process needs to be simplified, packaged up, and probably most importantly, delegated; will the RIRs be able to cope as it stands? We will end up with huge waiting lists to get address space. The process needs to be more like registering a domain than getting PI IPv4 space.
Now, of course, once so many more organisations are using PI addresses, what does this mean for the size of the global routing table? This is more of a problem for the ISPs and router vendors than the end users, but a problem nonetheless.
Can anyone more experienced in IPv6 than me refute these points?
Fat cells are just in private subnets.
"The laws of science be a harsh mistress." --Bender
Perhaps you might want to try installing a stripped-down linux distribution on a geode or arm based router.
Then you can customize it any way you want, and as a bonus you will probably be immune to those router attacks out there.
If you want the "simple box" experience, install webmin. You can do all the routine sys admin tasks with it and you don't have to go near a command line.
Security though obscurity is no security at all.
Then post your password here and/or SSH private key here. "Security through obscurity" is not remotely close to what you think it means.
How can my firewall be expected to know the difference between an address generated by my network printer that should not be seen from outside my network and one from a pc that should ?
Set your firewall policy to "default deny" and whitelist connections you specifically want to allow. This has been the correct way of building firewalls since the idea was first invented.
So now even my network printer (toaster, fridge, whatever) needs a built in firewall with guaranteed bug fixes.
Why? You don't have a firewall on your router? Again, "default deny": don't open up a rule that allows random Internet hosts to connect to your toaster.
I want to be alerted to the addition of any kit to my network and be given the choice to allow or disallow access to my resources before whatever it is starts to use the limited data allocation that is my internet connection, starts to print a copy of wikipedia or otherwise use resources that cost me time or money.
Use whatever mechanism you're using right now, today, that alerts you when a new device connects to your network.
Dewey, what part of this looks like authorities should be involved?
One of the main advantages of IPv6 is we will be able to abolish NAT (for security, transparency, and reliability), yet you propose we adopt IPv6 and issue all Internet users with an... address translation device? Why not advocate keeping IPv4 then?
Then post your password here and/or SSH private key here. "Security through obscurity" is not remotely close to what you think it means.
Those are secrets that have no existence outside of my network. Unlike IP addresses. I believe you are mistaken in equating them.
Set your firewall policy to "default deny" and whitelist connections you specifically want to allow. This has been the correct way of building firewalls since the idea was first invented.
Why? You don't have a firewall on your router? Again, "default deny": don't open up a rule that allows random Internet hosts to connect to your toaster.
And what prey tell should I do for my PC ? Set a static ipv6 address to be entered into the whitelist ?
Pull the other one it's got bells on.
Mod this up!
I have ipv6 at home and I have a /64 subnet. That's 18,446,744,073,709,551,616 addresses. If you assume an adult human has about 50 trillion cells. You can assign one of those IP addresses to every cell of everyone in the US and still have leftovers.
No, not everything needs a public address. But everything could with no risk of scarcity.
This is a boring sig
Those are secrets that have no existence outside of my network. Unlike IP addresses. I believe you are mistaken in equating them.
But why do you care if they're known outside your network? You have a stateful firewall that protects them from the world. Here's my printer's IPv6 address: 2001:453:da65:1:94ab:7c00:8cba:beb5. Go ahead, have fun trying to connect to it.
And what prey tell should I do for my PC ? Set a static ipv6 address to be entered into the whitelist ?
Yes, of course. Why wouldn't you?
Dewey, what part of this looks like authorities should be involved?
But why do you care if they're known outside your network? You have a stateful firewall that protects them from the world. Here's my printer's IPv6 address: 2001:453:da65:1:94ab:7c00:8cba:beb5. Go ahead, have fun trying to connect to it.
You have far more confidence in your firewall than I have. One slip in the coding, one unchecked buffer is all that it takes for it to be breached.
Yes, of course. Why wouldn't you?
Privacy.
http://playground.sun.com/ipv6/specs/ipv6-address-privacy.html
http://www.faqs.org/rfc/rfc3041.txt
That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?
Your collateralised debt obligation investment scheme intrigues me and I would like to contribute to your hedge fund.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
Here's a better one still:
NAT = firewall = no connectivity... :)
If your firewall is set up right (which takes almost no effort), then you're just as protected as if you set it up correctly with NAT. Just set a default rule that blocks anything incoming, and then allow specific IPs/ports - just like with NAT, but minus all the IP mangling.
While this is true, you must also consider that more skin cells are required to contain the increased volume of the fatty tissues.
Learning about brewing beer, by brewing beer.
It may be correct that your printer does not need a public IP address. However the same argument has been used for lots of devices that do need to communicate with the outside world. And there certainly aren't enough IPv4 addresses for the devices that do need a public address for proper operation.
/24 subnets, and you still avoid all the collisions that would have happened if multiple entities decided to assign the same subnet of 10/8 to things that you needed to communicate with.
Let's get back to that printer. Let's assume you will never want to print to it from computers outside of the same local network, then you can indeed assign it a link local or unique local address. This however is not an argument in the favor of NAT. That printer then should never communicate with the outside world, and those devices that do need to communicate with the outside world have their own address for communicating with the outside world.
The use of address reserved by RFC 1918 has not been without problems. There may be a lot, but there have still been conflicts. The problem is there isn't exactly one scope within which you want them to be unique. You may have a router in your home that assigns a range of RFC 1918 addresses to a local segment. Your ISP might also be using some RFC 1918 addresses for equipment that you need to communicate with as a customer, but doesn't need to be accessed by anybody outside of that ISP's network. You might also be using a VPN connection from a machine on your local network to some remote site, which makes use of RFC 1918 addresses.
These addresses are all assigned by different people and none of them know at the time they assign the addresses, which other RFC 1918 addresses you will need to communicate with. This leads to conflicts.
With IPv6 there is a replacement for RFC 1918, it is RFC 4193. With RFC 4193 there is first of all a randomly selected 40 bit site ID which reduces the risk of collisions significantly. And each such site will have a 16 bit subnet ID that you can manage locally. With that you get as many subnets as if you had split 10/8 into
So, even for the case of devices that don't need a globally routable address, IPv6 is still better than IPv4.
Do you care about the security of your wireless mouse?
And you'll still be a complete idiot for doing so since the firewall rules that are currently keeping those attacks away work exactly the same way without NAT on IPv4 or 6.
That isn't true. Usually if the attacker can get packets with your private destination IP addresses to the outside of your router and you have no ACLs saying to drop that, it will get forwarded in regardless of what the NAT says.
The solution for grandma will be the same as it has always been: buy some product that filters correctly and never even hear the words "NAT" or "ACL".
D-link has a Wireless N 300 router, listed on their site for $65 (so you could probably find it a little cheaper than that at other resellers). The DIR-615, which claims to be IPv6 ready. As someone else mentioned, the Apple Airport routers also support IPv6.
It is a bit disappointing that there's only a few models with built-in IPv6 support, but at least they're starting to make them. As more ISP's role out IPv6, the OEMs will start putting out more devices that support it. I think the problem right now is that there's virtually no demand for IPv6 support from customers, because no ISPs are offering IPv6 connectivity (that too will be changing, probably, soon - I think Comcast and a small number of other ISPs are starting too look into IPv6).
I have ipv4 at home and a /16 subnet. I'm not going to run out of addresses any time soon.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
I dunno about everyone else, but last time I tried turning on ipv6 I discovered that Comcast didn't route it and a bunch of the internet turned into a black hole.
jim frost
jimf@frostbytes.com
You are forgetting the whole point of NAT: To make non-routable addresses routable to the internet.
This simple fact is why the "NAT is a security device" argument "Because my network addresses are not routable" does not hold.
And MAC address filtering is not a NAT function, but a firewall function.
Isn't that what "+1 Insightful" is for?
Paul "TBBle" Hampson
Paul.Hampson@Pobox.Com
It seems like a lot of people can't think of a use case for hosts behind firewalls to want to talk to each other.
I want to stream music from my local media server while doing system administration one any of three remote private networks.
My work uses a private network of 10/8, my university uses 172.16/12 and my secret club uses 192.168/16. Which private network should I use at home? It doesn't matter because whatever I pick, I cannot establish a tunnel from home to whichever location uses the same private network without running into a routing conflict. There is no way to tell whether an address is local or remote once I establish that connection. Regardless of the tunneling tricks used, my computer will have no way of knowing which side of the tunnel a host is on if both the source and destination network are the same private network. It could try both, but what if the same IP exists on both sides?
Most VPN software solves this by not allowing the client to access local network resources when attached to the VPN, but that's just dodging the real issue. The way IPv4 works, hosts need to have globally unique addresses to talk to each other easily, and it's not unreasonable to expect hosts on different protected networks to want to talk to each other.
You can have the advantages of NAT without the disadvantages. Get IPv6 and firewalling correctly configured.
Mind to elaborate? Is there anything special in Ipv6 that makes a router any less hard to "trick"? Also, some NAT devices are not that easy to "trick" and have security certifications (Common Criteria).
on the other hand, in a NAT-less world, if you run a large organization, what good does it makes for an external web site or your ISP to know what each machine inside your network actually visits? Say you are a bank, or a .gob organization... now, instead of having all web access coming from one or two or three proxy/NAT addresses, you have a one-to-one connection from each pc in your network... is that difficult to "trick" someone you want to do something special now and address specific internal address of your organization from the internet?
I'm not against IPv6 itself, but the rage against NAT seems unjustified. If there's no need for it, it will go away alone. Now, there are people that might need NAT, as they don't want external addresses to "know" what each internal address of an organization browses or anything. For those, seems IPv6 is lacking some funtionality for no good reason.
> I won't, since I don't think anyone is going to port scan me. >Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff? Simple, social engineering: just make some of those ip addresses "browse" a specific address you control, and you'll know specifically what each address is and fingerprint it. Loads of fun if you are or catch an ISP machine and what to "see" the little things some of your customers "browse"!!
Another hint: no NAT means you know what each address browses... loads of fun if you can pinpoint specific addresses within an organization! Now, what's all that bad rap about a unique internet ID in the US?
"Less than 5% of IPv4 addresses are left unallocated to the regional Internet registries, which in turn dole them out to network operators. Experts say the free pool of IPv4 addresses will be depleted in a matter of weeks."
Weeks? For how many YEARS have we been hearing this? Oh yeah, I am sure they REALLY mean it this time, too.. just like the last dozen times...
Ignore his first point, focus on the second. Everywhere you put a NAT for security today, have a default firewall set. Home routers deny any unsolicited traffic by default. There you go, all the security of NAT with *zero* of the PITA.
XML is like violence. If it doesn't solve the problem, use more.
Except that fc00::/8 is *not* supposed to be used at all right now, and when if it is, then all users *must* use a central registrar to assure uniqueness.
*Now* fd00:/8 Could be an issue. Ostensibly, following the rules a program is supposed to spew out your prefix instead of being manual choosing. So a lot of private network type devices that formerly just defaulted to 192.168.0.0 would instead default to some /48 out of fd chosen psuedo randomly, but the call for such a default network is greatly reduced with fe80:: link-local addressing. Leaving most private networks being a conscious choice, and drawing fd instead of running a utility I could see becoming a best practice in spite of the 'requirements' that people not do that given the inherent honor system of that whole thing.
XML is like violence. If it doesn't solve the problem, use more.
err.. I meant selecting fd<favorite hexspeak here> instead of running a utility.
XML is like violence. If it doesn't solve the problem, use more.
Your 'gate' is your router/firewall. People can't magically get around the same exact piece of equipment that NATs today simply because they are independently addressable. Those devices need to just have a 'no unsolicited incoming traffic' firewall by default.
XML is like violence. If it doesn't solve the problem, use more.
Yes, they are thinking it through. There have been blind eyes to various things as some people wanted to bathe in the theory of how they thought it *should* work, but most concerns you have are considered and have reasonable answers.
At least you hit on the one facet of security that NAT does at least help with, more accurately measuring how many hosts are beyond a particular gateway. I do wonder what the practical risk is there, however. If you are doing non-privacy stateless addressing, ok it divulges your hardware address, but I'd advocate for either the privacy autoaddressing or DHCP range which has nothing to do with your system and moves that entirely onto site-persistent selection instead of device-persistent selection.
If you have an internal-only service on a system that you don't want routable at all to internet, just do either the fe80:: address (which admittedly could be awkward with the required zone index suffix) or generate a ULA out of fd00:/8. Either way you slice it, you have a non-routable IPv6 host. If you are concerned that your hosts need aliased addressing and that's "weird", well, all IPv6 hosts will at least have two 'aliases', one in fe80:: world and one global, and aliasing is more 'mainstream' in IPv6 thinking.
Finally, IPv6 to IPv6 NAT should exist, so you could have exactly your analogous config, with an fd<whatever> address on the inside and dynamic mapping to external address space, but *please* don't make that so ubiquitous so that your hangups on how IPv6 needs to act exactly like IPv4 get in the way of me getting my /56 at my house one day.
XML is like violence. If it doesn't solve the problem, use more.
Ok, that VLAN comment was odd. VLAN is a construct where an ethernet switch can manage a broadcast domain in a manner distinct from the specific physical layout. One switch can present three broadcast domains, different VLANs can be aggregated over various things to acheive complicated things. VLAN has nothing to do with a router, unless you are doing some sort of layer 2 tunneling, which I still cannot logically tie to what the grandparent post said in any way.
NAT doesn't make anything easier except hiding how many systems are behind a gateway. NAT is just a pain in the ass that is accepted and a one-rule firewall is just as capable and requires no special treatment regardless of where the device goes. For example, if your linksys box choses 192.168 by default, but you are plugging it into a network that also uses 192.168, you must reconfigure. A linksys getting a delegated v6 prefix never has to bother the administrator for a different firewall rule because it somehow magically conflicts with the context it is applying to.
All the practical security concerns seem moot with the reality that 'reject unsolicited incoming traffic' is sufficient to get the commonly perceived 'security' benefit of NAT. At the same time as I agree that people have overblown the inherent security of NAT over 'plain ol' firewalling, I do kinda wish that a blessed NAT66 RFC would exist so that people would just shut the hell up about it, but at the same time am afraid any hope of getting my /56 to use the *right* way will evaporate when that happens.
XML is like violence. If it doesn't solve the problem, use more.
I agree with you, but will also point out for the NAT fanatics that IPv6 makes the case you described better. With fd::/8 ULA, your work, university, and secret club will have /48s that have a near zero chance of colliding with each other or the random ULA prefix you get at home.
XML is like violence. If it doesn't solve the problem, use more.
And what prey tell should I do for my PC ? Set a static ipv6 address to be entered into the whitelist ?
How is that different from your NAT today? If you want to accept incoming connections, you must tell your NAT box a port to DNAT map from your external thing to something internal, defined by, surprise surprise, a static entry.
If you are talking about *outgoing* traffic, I'd say the default is to allow outgoing if you just want to mimick NAT 'security' out of the box.
XML is like violence. If it doesn't solve the problem, use more.
Ok, but what if you wanted to hypothetically print a form you had open on your cell phone *right now* wherever you are for later review? Might be nice to actually be able to reach your printer then, so long as it is properly secured.
XML is like violence. If it doesn't solve the problem, use more.
My counterpoint would be that websites can and already do track individual machine accesses via session cookies, and can develop a pattern from that just as easily as by IP.
However, I personally would not be adverse to NAT66 being implemented commonly, but I think there is a fear that if NAT66 exists, the ISPs will bone the residential market that includes the people who really want an actual usable subnet for their home.
XML is like violence. If it doesn't solve the problem, use more.
The IPv6 address you give up does not exist. It is guaranteed that nobody can connect to your printer because it is on non-existence IPv6 address.
whois 2001:453:da65:1:94ab:7c00:8cba:beb5
#
# Query terms are ambiguous. The query is assumed to be:
# "n 2001:453:da65:1:94ab:7c00:8cba:beb5"
#
# Use "?" to get help.
#
No match found for 2001:453:da65:1:94ab:7c00:8cba:beb5.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
Printers don't need public addresses but it is nice to have UNIQUE addresses. That way when you take your laptop to another network it doesn't try talking to the wrong IP.
Using "public" addresses in IPV4 is more of a security hole because most subnets are small, address space wise, and it's easy to start guessing IP addresses from outside and see what you hit. In IPV6 the host part of the address is 64 bits and they're usually assigned using the MAC address, rather than starting at 1. Therefore, it's pretty hard to guess an address and hit it even if your firewall doesn't block the traffic.
How is that different from your NAT today? If you want to accept incoming connections, you must tell your NAT box a port to DNAT map from your external thing to something internal, defined by, surprise surprise, a static entry.
The differences are :
1) A single static ip address in ipv4 can be either a single device or a NAT gateway. In ipv6 it is guaranteed to be a single device.
2) The perception that since a static ipv6 address is just one of the possibilities out of a 64bit subnet, that this renders address scanning useless. This perception is blatantly false, as without address randomisation you leave "footprints" everywhere you go hence the privacy extensions. Who needs to scan for your address when you leave it wherever you go ?
The current implementations of ipv6 leaves you the choice between security and privacy - you cannot have both.
If you choose security you cannot even have plausible deniability by running an open wifi as all ipv6 addresses are unique.
If on the other hand you choose privacy, then you cannot implement a default deny firewall as this would require a whitelist listing all of the allowed ipv6 addresses - something that you cannot provide if you are randomising your ip address as per the privacy rfc.
I will wait until someone figures out how to do both before I consider going live with ipv6.
Unfortunately, I'm one of those "very few" sites who experiences slowdowns with IPv6 enabled. I don't know if it's just because I'm a retard or something, but I have not been able to find a DHCPv6 client for Linux that works reliably
Any you have reported the bug to the developers? Remember you are comparing 10 year old software which has had millions of users exercising it to code which has a couple of thousand users exercising it.
I've tried Wide-DHCPv6-Client, and Dibbler. Both seem to occasionally have a hissyfit and crash. When DHCPv6 crashes, you lose IPv6 connectivity -- so the browsers on your network think they still have connectivity and try-and-wait for ages until the connection times out. Restarting the client always fixes the issue.
Well complain to you browser vendor. Multi-homing support has be part of host requirements for more than 20 years. The only reason you are seeing problems is that your browser vendor cut corners and didn't code the product to support multi-homed servers.
I for one, consider IPv6 to still be an "experimental" technology. I certainly won't be deploying it out to my clients' sites any time soon.
The thing is that in a NAT environment, all sessions from an organization behind a NAT4 device, all they see is the NAT device IP address, and not the real IP address of the systems the user is at.
If in a IPv6 NAT-less world, you have a firewall, but no NAT, you see what each individual IP6 address likes or diskiles, regardless the span of a "session" . That could be interesting for folks like Google to do "analytics" on what you browse. Also, it could be interesting for other folks if they narrow down that IP6 address to a name.
I'd agree with you if it were easy to get an IPv6 subnet of your own (actually assigned to you, not just probably not used by anyone else like that webpage gives you). But it isn't. I tried to IPv6 my home network a couple of years ago, and for supposedly non-scarce addresses they're actually harder to get hold of (as a private individual) than IPv4 addresses.
I am trolling
1) Whether it is an IPv6 address or an IPv4address+DNAT port, the exposure is the same, the outside world has a door into a specific system.
My thought is that running an open wifi does not provide plausible deniability. It's more likely that someone will do something malicious behind your gateway and you'll take the blame than vice-versa. *Especially* if you seem technically capable, the fact that you explicitly left your wifi open would be taken as a sign you were *trying* for plausible deniability. Face it, for the residential case, *there is no plausible deniability*, at least with respect to traffic that originates from your residence, *unless* you have a trusted proxy shared with others out there that you *know* won't retain enough data to trace your identity. The only way to have plausible deniability is to find an open-wifi somewhere and hope there's no security camera. If it is some poor sap's house, then they will probably get blamed, if a business, that business may be required to discontinue open wifi under legal pressure.
If you did want to put your static address into your firewall rules, you could do the exact same strategy as IPv4, either staticly decide your IP (which is still very much possible) or use DHCPv6 to assign addresses. The entire IPv6 world isn't just the stuff defined in stateless auto-addressing.
XML is like violence. If it doesn't solve the problem, use more.
Right, but if they are wanting to do analytics, they use long lived tracking cookies today. They already do all the tracking they need to do at the HTTP/Browser layer. A better argument would be that users can at least opt out by controlling their acceptance of cookies, even if no one does as in practice it breaks too many sites to blanket deny and way too many questions to consider one at a time.
The sad fact is that NAT gives very little protection in practice against things like tracking, *particularly* to the home market, where household granularity in tracking is quite sufficient no matter how you look at it.
XML is like violence. If it doesn't solve the problem, use more.
I fire up the VPN on my iPhone, and then print.
Just like I do now and with far more security because the connection is encrypted.
Note: I would never do that, Why the hell do I need to print something from my phone when I am miles from the printer?
Do not look at laser with remaining good eye.
> It starts with the fact that your internal IP addresses will be determined by what your ISP gives you. What if you change ISPs? This means renumbering everything. Changing ISPs didn't used to mean that. What's the solution
The solution is to use FC00::/7 like you are supposed to: http://tools.ietf.org/html/rfc4193
That, or use the prefix mechanisms of IPv6.
> All well and good, but acquiring PI addresses still requires you to become a member of your local RIR
Bullshit. PI was invented precisely to avoid having everyone and their mom who needed their own address space join the RIRs.
If you are within the EU, I can send you a contract with _us_, not RIPE, that fits on a beer coaster. You send me proof that your company exists and, as the policy wrt IPv6 is pretty much "HERE! TAKE IT!", not even a real numbering plan. Also, you will need to tell me, and thus RIPE, why you need multi-homing. I will give you an IPv6 PI prefix in return. No hassle, no need to join a RIR, no nothing.
> With IPv6, medium and small companies will also have an urgent requirement for PI space.
No, they think they need it as they are as misinformed as you are.
> Now, of course, once so many more organisations are using PI addresses, what does this mean for the size of the global routing table?
Not very much, assuming they don't go announcing every /48 they have. But without a real need for multi-homing, you will not get PI space either way. Matter of fact, IPv4 is a lot more fragmented than IPv6 because there are so few addresses. /24 from different locations because they allocated in an agressively-address-saving manner.
Some companies announce every
With IPv6, I have a /32. I announce a /40 per POP, in the /36 per city. That means almost zero fragmentation. And if I ever need another /32, thanks to sparse allocation, I can simply go to RIPE and the /32 right above mine will still be free. So I will then end up with a /31. A continuous /31. No (forced) fragmentation. /56, i.e. 256 /64, and, thanks to sparse allocation, I can easily up them to /55, /54, etc. 65k customers in one POP is a limit I will not reach any time soon. And if I do, I can just use one of the other 15 /40 in the same city. Yay for planning.
Customers get
> Can anyone more experienced in IPv6 than me refute these points?
Seriously, you should have put that first, not last.
By the way, you are totally ignoring that changing ISPs with IPv4 PA space today means total renumbering whereas with IPv6 PA, you merely need to switch out the prefix.
Huge time and effort. 30 seconds max.
Let me guess, you are one of those guys at the office that wigs out at the vending machine because it took 3 seconds to get you your 3rd redbull this morning.
it is not a huge time and effort, it's negligible effort even for 1024 devices spanning several subnets in IPV4, in IPV6 it's a single subnet, even less effort.
Do not look at laser with remaining good eye.
If you think your ISP will gladly give you more than 1 IP address with your basic broadband service , then you are completely disillusioned.
Do not look at laser with remaining good eye.
IANA will run out within less than a month: http://www.ipv4depletion.com/?p=557
You not informing yourself does not mean it's not happening :)
"it makes peer-to-peer internet impossible."
and that is a POSITIVE. I want P2P to be impossible for most of what I need on the NAT.
Firewall+NAT = more control over the network. OR are you telling me that when ipv6 comes along all of a sudden all ISP's are going to become benevolent and give everyone what they want?
NO you will get 1 IPV6 address and pay for every other address you want, Thus back to NAT.
Do not look at laser with remaining good eye.
No you're the complete idiot in thinking your ISP is going to give you more than 1 IPv6 address.
Do not look at laser with remaining good eye.
If IPv6 is cheaper for them to do, and NAT66 isn't commonly available, then you bet your ass they will. They know well that some number of devices greater than one always access their service. They don't want to bridge customer networks together in a layer 2 sense, so they will delegate prefixes for use by linksys gateways and the like. IPv6 explicitly made efforts so that prefix delegation is trivially automatic, so there isn't work associated with it, and addresses are so bountiful there simply is no point in *not* doing it.
XML is like violence. If it doesn't solve the problem, use more.
I know, right? They already give me more than 1 IPv4 address right now, so it would make perfect sense to reduce it to 1 once there are 79228162514264337593543950336 more addresses available...
Oh, this is going to be so cool! I'll be waiting to try it out.
But even that doesn't really work with IPv4. The main problem is with the IPID field. Any combination of source IP, destination IP, and IPID must not be reused within a packet lifetime. But when two machines behind the NAT sends packets out the gateway mangles the source IP address, and if two packets were send with different source IP but identical IPID, it would have been perfectly valid until they passed the NAT. A typical NAT doesn't touch the IPID field and just pass it on unmodified. Modifying the IPID wouldn't work very well anyway as the state that would need to be tracked gets impractical.
Many systems generate predictable IPID values, and when they go through the NAT unmodified it is fairly easy to count the systems. Even if each system was to generate unpredictable IPID values, any collision would prove that two packets were sent by different systems. Since every packet in a TCP stream is from the same system, this will allow counting systems even if they generate unpredictable IPID values. You could work around this by setting DF on every TCP packet and just put random bits in the IPID field. This would of course have to be done by the sending host. If the NAT did those modifications, it would be breaking communication for hosts that didn't anticipate such modifications.
If your intention with using NAT is to hide how many machines are behind the NAT, then you are better off using NAT with IPv6. With IPv6 the IPID field doesn't exist if it doesn't have to. And the DF bit does not exist either because it is implicitly on, any fragmentation must be done by the sender, intermediate routers are not allowed to do it. This means with IPv6 there is much fewer packets with IPID, that could reveal the number of hosts behind the NAT. And when IPID is included, it is twice as large as in IPv4, which reduces the risk of collisions significantly. That means less risk of the NAT breaking stuff by causing IPID collisions, and with fewer collisions there will be less chance of identifying different systems behind the NAT due to collisions.
Do you care about the security of your wireless mouse?
I suppose an OS could actually easily address that concern. Whenever a connection is established it could be assigned a newly generated random address unless the application had explicitly bound the socket to an IP address. It does mean the gateway will have to keep track of more IP to MAC mappings than it would otherwise, but the number of entries to track isn't going to be more than the number of connections a NAT would have to track today. And if they do expire, it just means you'll have to wait a few microseconds for it to ask for the IP address. When the same kind of expiry happens in a NAT, it causes the connection to break.
Do you care about the security of your wireless mouse?
Did you even watch the video you linked to? If you watched the video you would find that address randomization does solve that problem, but only if you use it. What he found was that a lot of servers have IP addresses that are not random, so he could find them by scanning with a few different tricks.
Since the starting point was a bunch of DNS entries, it is not clear that these IP addresses were even supposed to be secret to begin with. But if you do use random addresses, none of the tricks mentioned in that video will find it.
The rest of the video was discussing various attacks that can be performed if you are on the same LAN as the target. Many of those attacks are similar to what you could do with IPv4, and the typical solution with IPv4 would be to configure filters in your switches. Similar attacks against IPv6 requires similar filters, which shouldn't come as a shock to network administrators.
I think the most interesting attack mentioned was that a rogue machine on an IPv4 only network could perform a man-in-the-middle attack by sending out an IPv6 router advertisement and cause other machines on the LAN to believe it was a dual stack network and use IPv6 by default.
He pointed out a few other places where the IPv6 stacks are not as mature as IPv4, and that supposedly you can crash most machines on a LAN through these. But none of this should discourage you from upgrading your network, since the attacks only worked locally, and they would work even if your network was IPv4 only because the attacker could turn on IPv6 on demand.
All in all an interesting video, but the one point you mentioned wasn't being made.
Do you care about the security of your wireless mouse?
If people violate the standard in that way, then collisions can happen. But at least it only happens if both networks violate the standard in the same way. If it does break at least you can blame each administrator independently as he is obviously responsible for misconfiguring his network. (If you want to avoid a situation where an administrator tries to argue that it is easier to fix the other network, then pretend there are three conflicting networks and it is easier for him to fix his own network than to get both of the other networks fixed).
The situation could be even worse, if some joker decided to use the same prefix that he saw some other network using. In such a case it wouldn't be obvious which of the networks didn't make a random choice. The standard could have included an elaborate technique for proving that the random prefix is yours. (Generate an RSA keypair, hash the public key and use the first 40 bits in your prefix. If necessary use the private key to prove that you picked this prefix). But this would be kind of overkill to put in the standard.
The fc00::/8 prefix is specifically reserved for use in case the random assignments somehow don't work out and would require a central authority. How the process for assigning prefixes would work in that case remains an open question, as we haven't seen the need yet, and we might never. If people are stupid enough to violate the standard, chances are that being able to pinpoint exactly who is violating the standard isn't going to help all that much.
Do you care about the security of your wireless mouse?
1) Whether it is an IPv6 address or an IPv4address+DNAT port, the exposure is the same, the outside world has a door into a specific system.
Unless you are running the ipv6 privacy extensions :
http://playground.sun.com/ipv6/specs/ipv6-address-privacy.html
http://www.faqs.org/rfc/rfc3041.txt
My thought is that running an open wifi does not provide plausible deniability. It's more likely that someone will do something malicious behind your gateway and you'll take the blame than vice-versa. *Especially* if you seem technically capable, the fact that you explicitly left your wifi open would be taken as a sign you were *trying* for plausible deniability. Face it, for the residential case, *there is no plausible deniability*, at least with respect to traffic that originates from your residence, *unless* you have a trusted proxy shared with others out there that you *know* won't retain enough data to trace your identity. The only way to have plausible deniability is to find an open-wifi somewhere and hope there's no security camera. If it is some poor sap's house, then they will probably get blamed, if a business, that business may be required to discontinue open wifi under legal pressure.
Here I think we will have to agree to disagree. Particularly when you consider some of the advantages to the privacy extensions. My point is that at present, there is no happy medium. You have a choice between a centralised traditional firewall, and a decentralised randomised more privacy friendly solution.
I think we can agree that ipv6 could be far better than it is with what we know today verses when it was designed 15 years ago. I'm just willing to wait a little longer for my feature set than you are for yours.
Did you even watch the video you linked to?
I did, and from it I headed down the path that you are on. That was until I also wanted a firewall as well as randomisation. If you implement a default deny firewall and are running randomised addresses, just how do you open a port ? Or otherwise grant access for inbound connections ?
All the flaws of NAT but without any of the benefits.
I am sure that there is a solution to this problem, it just has yet to be released.
I am just willing to wait for that or until ipv6 reaches critical mass and I am forced.
Randomly assigned IP addresses can be static or dynamic. You assign one static to each machine and let it generate dynamic addresses on its own. For incoming connections you use the static IP of the machine. For outgoing connections you use one of the dynamic IP addresses of the machine.
Too many people with that attitude is the reason for the mess we have now.
Do you care about the security of your wireless mouse?
Randomly assigned IP addresses can be static or dynamic. You assign one static to each machine and let it generate dynamic addresses on its own. For incoming connections you use the static IP of the machine. For outgoing connections you use one of the dynamic IP addresses of the machine.
Thank you for this, it forced me to re-read the faq (http://www.faqs.org/rfc/rfc3041.txt). I must admit that had been focusing on it's primary declared relationship to "Stateless address autoconfiguration [ADDRCONF]", and failing entirely to grasp the "may also apply to interfaces with other types of globally unique and/or persistent identifiers" part.
Too many people with that attitude is the reason for the mess we have now.
Some of us are either more cautious, or less well informed. I was both, now I am merely cautious. I will gladly and with thanks, move on to basic connectivity testing rather than waiting.
If you have information regarding implementing Security Enhanced Neighbour Discovery please link it as this is now the final hurdle for me.
Being cautious is ok. A 10 year transition plan to ensure there is time to address any issues coming up sounded like a good plan. But what happened was that nobody wanted to make the first move. And we now have a situation where we have realized what the first hurdle is and the first large scale test to see if we have resolved that hurdle is scheduled to happen a few months after the IANA pool of IPv4 addresses run out.
All the years where almost nothing happened means that the transitioning now have to happen faster, and it will be more problematic because there won't be any free IPv4 addresses for the last part of the transitioning. If the transitioning had gone according to the plan people would be shutting down IPv4 networks now because it wouldn't be worth the hassle to run both IPv4 and IPv6. Unfortunately that isn't the situation.
For the Internet as a whole, all this cautiousness appears to be causing more problems than it prevented. I can understand why it from each individual's viewpoint seemed like the right thing to do. But from a global perspective it is turning into a disaster.
I don't know more than what was mentioned in the video. I would expect that some high end switches can be configured to do filtering that will address the majority of issues, but I don't know any specific details about that either.
Do you care about the security of your wireless mouse?
No, it doesn't.