You are grouping ADSL lines and Ethernet UTP cables together like they were the same thing. They are not. Try patching 4 phone lines together in a couple of RJ-45 connectors and see if you can even get 10 Mbit ethernet working properly... and I mean working properly... not just link and small ping packets. Try to copy a big file over and see what happens.
This works and was in fact not uncommon. You only need two phone lines because 10/100 Mbit/s ethernet only uses two pairs. It was designed so you could reuse existing wiring in buildings to do this.
Just that you are using 10Gbit patch cords as an example to say ADSL is better than cable proves my point. 10Gbit cables are in no way similar to standard phone line cables.
Of course they are similar. Unshielded twisted pair. Phone lines are called CAT-3 while ethernet (up to gigabit) uses CAT-5. Same cable type except ethernet is done with higher quality. Ethernet will for short runs work on CAT-3.
Try another route - why do you think 10 Mbit/s coax ethernet stopped right there and unshielded twisted pair went all the way to 10 Gbit/s and soon also 40 Gbit/s?
Maybe I just didn't get your point. You seemed to insinuate that coax based network such as cable and 10 Mbit/s coaxial ethernet had lower noise and higher bandwidth than unshielded twisted pair networking such as ADSL and UTP (unshielded twisted pair) based ethernet. You told him to go read a book about that very point. But in fact coax cables are unsuited for long runs with very high frequency signals. The attenuation is too much for it to be practical. You will never get the gigabit speeds of UTP on a coax based network.
Do you mind telling what ISP this is? It sounds like a good case to point to in future debates.
Also what router do you have? Not all "IPv6 enabled" routers are so mature as the one you are describing.
Your router would probably not be dishing out a/60. All link subnets should be/64 so the router should pick the first/64 from your/60 and announce that on your local network. A/60 gives you 16/64 networks and the remaining 15 are still available for your use. How exactly you use those 15 nets are where the "mature" of the IPv6 in home routers come in. I believe many routers simply have no way of using the extra nets.
Prefix delegation can be used to hand over one or more/64 nets to other routers on your network. It would not do anything for hosts. But say you have a wireless router and you want the wireless network to be on a separate/64, the prefix delegation is one way to configure that. What I have yet to see is a practical implementation of this. Even with PD there needs to be some way to control how many nets to delegate to which router etc - does your router have such sophisticated controls?
Local multicast is in the ff02::/32 range so your public subnet does not matter for that.
However your link subnet needs to be exactly/64 otherwise neither DHCPv6 nor stateless autoconfig will work and mobile IPv6 breaks among other things.
That you should get a/48 just means you get a large number of/64's for your use.
Many ISPs might not go with the/48 and allocate a smaller number of nets to each user. But even the worst ISP could not go lower than one whole/64 or they would have the support nightmare of guiding all users through manual configuration.
Do you even understand how the technology behind each option works? Or on a lower level. Do you know the difference between a stardard phone cable and a coaxial cable and how that affects signal quality and available bandwidth?
Do you?
10 Gbit/s networking is delivered on twisted pair cabling, not coaxial. Granted better quality cabling and with four pairs instead of just one. The limits of ADSL is more because of poor wire quality and long wire runs than any limits of twisted pair vs coaxial.
ADSL has the distinct quality that you are not on shared bandwidth. Cable might be able to go slighly higher but you have to share with your neighbors. Which might be why cable intense USA have all the ISPs implementing download limits while ADSL intense Europe has free download as a rule.
In my country over 90% of the population has the option to buy 50 Mbit/s ADSL. A budget ADSL is typically 10 Mbit/s and the average ADSL is probably around 20 Mbit/s. This is not worse than what you typically can get from cable.
Therefore the conclusion is clear: Games/sites that ask the user to choose internet connection speed with the ranking Cable > ADSL > dialup is pretty stupid. Just ask the user how many Mbit/s he got (or measure it).
99.9% of mobile devices would be quite happy behind NAT.
No. Being behind NAT means the mobile device has to pull for messages. This means it will be slow at detecting new messages and it creates unnecessary traffic (expensive).
It also breaks the usual stuff - SIP (what, you don't want free internet calling just because it is a mobile device?). RTP (you don't want to watch video?).
In fact it seems there is perhaps more new inventive service that could be build on the open peer to peer network of IPv6 with mobile devices communicating directly with each other.
Before you go on the usual "but we have NAT hacks that allow some of that stuff to work anyway!", please learn a bit more about IPv6. It is more than just an extra long address field. For example there is something called Mobile IPv6 which could come in very handy for mobile devices. Also IPv6 multicasting is much improved - why, you could broadcast to the world directly from your camera phone.
Certs are no longer $100/yr, if you shop around a little. Trustico has provided perfectly functional certs for $20/yr for a long time (with discounts for multi-year purchases). I've been using them for several years. For a blog that has very cheap hosting, even the $20 doesn't necessarily make sense.
If the browser is modern enough it knows about IPv6, and knows you don't have IPv6 on the current computer, it occurs to me that the browser could potentially be made smart enough (through a plugin/addon) to automatically rewrite the IPv6 URL as an IPv6 DNS name, on-the-fly.
Or you could just configure the browser with a HTTP proxy. This is already supported by all major browsers and solves the IPv6 problem completely. Still requires the user to change his setup though.
Just because you can't think of a solution, doesn't mean that one does not exist. It just means you haven't thought of it yet.
Perhabs a bit arrogant saying considering that the whole world has been thinking of this for the past 10 years, and you think you can just come up with an easy solution, right here on slashdot, that nobody thought of before?
If the initial contact was made by DNS you are correct that a mapping could be made. That was why I asked you how to resolve an URL that did _not_ contain a DNS name. This needs to work on an unmodified IPv4 computer - and can of course not be done. Someone could setup a DNS name that resolves to the address I gave you, but that would not fix the link. Your browser would not know to go to that name. In fact your browser would know that it was a IPv6 link and that this computer does not have IPv6 and not even try.
The internet is not just web. Lots of protocols out there doing stuff you have no control over. Take a bittorrent client as an example. Bittorrent does not use DNS, but it connects to hundreds if not thousands of IP addresses that it learns about from other hosts, sometimes using encrypted communication. There is simply no way to set up mappings, neither automatic nor manually. Your IPv4 only computer will have to avoid connecting to the IPv6 hosts it learns about. It might get stuck on a download it would otherwise be able to complete if it could communicate with the IPv6 only seed.
The problem you are trying to solve is usually called 4to6. There was even an RFC on it using exactly the DNS mapping idea. The problem with it is that it solves the wrong problem. The first to be on IPv6 only hosts are going to be those bittorrent seeds and not some website that has a DNS record. Nobody would be crazy enough to set up a website with only IPv6 for many years to come.
So how is your computer going to access this URL? http://[2001:470:1f12:73::2]/ (remove the space after http - slashdot is not exactly IPv6 compatible and gets confused).
Your computer has no way of translating that IPv6 address into something in the 10.0.0.0/8 range.
There is no way IPv4 only hosts are ever going to access content on the IPv6 network.
IPv6 hosts will always be able to access IPv4 content through the numerous transition technologies available.
You need to lookup IPv6 privacy extension. Your computer changes IP every other hour or so. What good will a log file with old stale no longer used addresses be?
If you want to run a web server on a domain name, then you need to be in DNS sure. That is not the majority of people.
If you want to run a bittorrent client you do not need to be using the same IP that you did yesterday.
The problem with 6to4 is that it is asymmetric. Your outgoing packets will be going through that 192.88.99.1 node you found by traceroute. But your return packets will be going through whatever gateway is closest to the IPv6 host you are accessing.
This means that you will be using a lot of different gateways all around the world. And a lot of those are badly configured and give poor quality. One usual problem is badly configured MTU such that all larger packets do not make it through. Ping will work but any actual download fails.
The 6rd protocol is a small tweak to 6to4 such that the return gateway is forced to be one operated by your ISP. This way the ISP can ensure it is working properly and give you a good experience.
So the basis of everything being secure is that what is today, is not tomorrow.
Not quite. Did you read and understand the simple calculation I did for you, the one that predicts 5 million years to scan a 100 Mbps connection? Nothing is going to change that. Of course at some time you might get a gigabit connection and then it only takes 500.000 years to do a scan. And that is if the attacker already knows your subnet, if not he has to scan 128 bits of address space. My calculator melted when I tried to calculate how many years that would take (*).
If my local network needs to change on a daily basis in order to be "secure," you can count me out.
Not "if". It already does if you are using Windows 7. Privacy extensions are enabled by default.
NAT it is. (And, remember: While NAT doesn't mean "firewall," every single common implementation of it in these modern times includes an ingress firewall by default.)
Only "symmetric NAT" does the firewall function, but it is also the least popular type of NAT. Both because it is harder to implement and because users hate it since NAT traversal does not work with it. None of the popular SOHO routers implement symmetric NAT.
The other three types of NAT all allow communication from third parties not previously established from the inside. Exactly the same as you are able to communicate with an IPv6 peer if you somehow know the address. In the NAT case you just need the address and the port, but combined these are 48 bits of information much less than the 128 bits needed to scan IPv6.
If you already know the IP there is only a space of 16 bits to scan to check for other services to exploit. This might be a bittorrent client that does a quick check on the remote peers to check if they are also running a vulnerable piece of software such a Voice over IP application.
Sorry to say it, but the real reason we are no longer seeing large waves of Blaster attacks is that no common operative system is vulnerable to network attacks like that anymore. Even windows comes with all ports blocked by the buildin firewall by default.
(*) of course you could reduce the search space by looking up what IP ranges have been assigned to ISPs and so forth, but the number is still insane. Even a small ISP is assigned 32 bits of subnet space to search, so to search one small ISP you need to search 96 bits.
Quote: Security through (or by) obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security.
What we are discussing here can never be obscure by definition. If it was we would not know how it worked since that would be the secret.
Combine the tenacity of something like Blaster with the fact that random generally isn't, and such software will land somewhere. Furthermore, I think you genuinely underestimate the number of folks downloading and running such niceties as "FREE Registry Cleaner 9000" and the "OMG PONIES!!!" screensaver, which allows a fair number of seed nodes out of the gate. (I made those names up. You get the point.)
Actually I do not get the point. In fact it seems you are missing it too. People that install malware are not protected by NAT are they now?
And, of course: Nevermind the fact that such a routeable address will not exactly be secret to begin with: In the absence of NAT, whatever host(s) you communicate with will know this address, and it will no longer be obscure.
The worms I commented on did in fact scan the net at random and did not limit the scan to hosts the client already had a relation to. Being such limited will delay spreading in a drastic way. Back in the day you could not install Windows on a net connected machine, it would be compromised before you had a chance to download the patches. This would not happen with IPv6 because scanning is not feasible and the machine would only make outgoing connections to Microsoft and other large sites that can be assumed not to be infested with worms.
Given enough datamining on a popular and compromised/ill-intended sites, and producing rather complete maps of an individual's home subnet should be practical.
No that would give you old useless data. Knowing what your subnet was like yesterday does not give you any ability to find machines today.
... but it will fail for someone.
So, if we're cannot rely on obscurity by itself, then we'll have to rely on firewalls.
You need to know what privacy extensions protect against. It protects against making scanning feasible and against tracking. But it is not a firewall and is not meant to be one. Just like NAT is not a firewall.
I commented only on the claim that worms could spread on IPv6 like in the old days before NAT, and I stand by that they can not. Those old worms depended on the ability to scan which is not practical with 64 bit subnets.
Er. Uh. I mean to say: "It's really, really obscure! So it must be safe!"
Say again? It is not obscure, it is a mathematical property from the fact that 2^40 is not a very large number but 2^64 is.
How long does it take to scan your subnet? It is easy to calculate, take an average ADSL home connection that is 10/1 Mbps. An IPv6 echo request ping packet is 118 bytes. Packets per second: 10,000,000 / 118 / 8 = 10593. Seconds to complete scan: 2^64 / 10593 = 1,741,408,861,862,508 seconds. Or 55,219,712 years.
Of course 55 million years is the time for someone to scan you. If you have the worm and is doing the scanning the upstream bandwidth would be the limiting factor. So it would take you 10 timers longer for you to scan _one_ guy (*).
Really - how effective do you think this worm would be at spreading like that?
And before you come screaming "I got 100/100 fiber to the home superconnection", ok so for you it will only take 5 million years to complete a scan of your network.
Add to that the fact that you are changing your address every hour by random, so with a very high probability it will never find your address even given million of years.
(*) assuming this guy only has a/64. Given that ISPs are supposed to give people/56 or/48, you do that math as homework.
dd-wrt is very lacking in IPv6 as well. There is no UI for it, it only supports tunneling, it is broken, etc.
I have made it work by writting my own shell scripts for it. But there seems to be no way to get a subnet by prefix deligation, not even if you are able to write scripts yourself.
Remember Sasser? Or Blaster? Self propagating worms that went screaming over the internet in part *because* of poorly firewalled networking and publicly exposed services such as RPC. That doesn't happen with NAT
It does not happen with IPv6 either because the address space is too large to search at random. You need to somehow know the address of your peer or you will never guess it.
Subnets are always 64 bits and that is just too large a space to search. If the user is using privacy extensions, he will change addresses every few hours, randomizing the last 64 bits of his address. Even peers that you have communicated with in the past can not guess what your current address is.
I am betting you dont have the latest firmware. I have a wrt610n and the latest firmware for that router disables ipv6.
No it does not. The latest firmware enables a firewall on IPv6 that blocks all inbound connections. You can still do outbound IPv6 connections. They left out any way to control this firewall.
Btw, this "ipv6" is only 6to4 tunneling, not native IPv6.
This is probably the 6to4 tunnel technology that is working for you. Linksys enabled that by default starting with the W610N router.
They still lack support for native IPv6 on the WAN side. So even if your ISP deployes native IPv6 you will not be able to take advantage of it. Instead you will still be surfing on a tunnel technology that does not always work as well.
But if I capture a packet that is going to google.com I see this:
Source IP: internal IP of my PC. Destination IP: the IP of google.com Source MAC: MAC of my PC Destination MAC: MAC of my router
Exactly. How did it know to use the MAC of your router? That came from the default route. Had you specified a different IP as default route it would be using the MAC associated with that IP address.
A local subnet means the router will try to lookup the MAC address of an IP address using ARP.
A non-local subnet means the router instead will lookup the MAC associated with the IP address of the gateway specified and send the packet to that MAC. It will not modify the headers so you will not see the gw IP as "destination IP" in the packet.
So in the/27 case I told about, the ISP router would consider my subnet as local and therefore try to deliver directly to hosts by doing ARP lookups on all addresses in the subnet. If I wanted to split my subnet I would need the ISP router to send to my router instead of sending directly to hosts on the subnet.
The packets only get picked up by your router if they are routed to the routers IP address.
Maybe you meant MAC address. I am sure than when i go to google.com, my PC sends a packet with the source IP as its own and destination IP as the one for Google and my router picks it up, sends it out the other interface (and changes the source IP to the external one, since I am using NAT).
Your router only picks it up because your computer has the router IP listed as "default gateway". Try changing default gateway to something that is not your router IP and see what happens. Hint: you lose contact with the internet but retain the ability to communicate with any local devices including the router.
Also, I thought that the "gw" parameter for the route command was only useful when there was more than one router on the same interface, for example:
route add -net net1 netmask mask gw 192.168.0.1 dev interface route add -net net2 netmask mask gw 192.168.0.2 dev interface
Now packets going to net2 will go to.0.2 and packets going to net1 will go to.0.1 that are both connected to the same interface.
I really want to try this, but as I cannot, I'll take your word for it, that it did not work.
In IPv4 there is no such thing as automatically detecting a router so you always need to specify the IP using the gw. IPv6 actually has automatic router discovery although I say the jury is still voting on how useful that is.
Using "gw" means "this subnet is not local, you need to send it to that guy, he knows how to deliver it". Leaving out "gw" mean this subnet is local so you can deliver it directly to host machines on the local ethernet.
So wait, standard policy will be for all devices to be publicly accessible from the internet, with its *device-unique* IP Address exposing the HW (MAC) address of the device, with no ability to shield machines from publicly broadcasting their existence so that it becomes trivial to isolate each individual device's traffic, no ability to block this behavior, no ability to segment the network or have any devices that aren't publicly accessible.
This is better, how?
Windows 7 by standard uses privacy extensions which means it is changing address once an hour or so. Instead of using MAC it simply makes up a new random address.
This means you can not track it by IP, any learned IPs become useless shortly, etc.
If you also want an IP that does not change you just add that. The random address will be used by default for outgoing traffic while you use your custom static address if you want to setup a server of some kind.
To have devices that are not publicly accessible you use a firewall.
The no ability to segment network traffic comes from the assumption that ISP are going to break the design by only assigning a/64 instead of a/56 or/48 as they are supposed to. I believe that when all the mess clears up most ISPs will be assigning/56 and this is a non issue.
OK, let's see if I understand this correctly. The ISP assigned you a/27, so it means that the route is set up as "your.ip/27 goes to your.interface", that is, all packets destined to your subnet would come to you. Now, if you placed a router at your side of the cable, why were you unable to configure it to route the incoming packets to watever part of your network they were supposed to go? The routes on your router should be something like "ip/29 goes to interface1; ip2/29 goes to interface2; everything else goes to the ISP".
The packets only get picked up by your router if they are routed to the routers IP address. Just being on the right ethernet segment is not enough.
"your.ip/27 goes to your.interface" yes but it needs to be "your.ip/27 goes to your.interface with your router IP as gateway".
The ISP did:
route add -net my-net netmask my-mask dev my-interface
But they need to do:
route add -net my-net netmask my-mask gw my-router dev my-interface
As it is now, I can have a lot of subnets, routing, redirections and anything else, and my ISP has no say in it, actually, it does not know what I am doing inside the network. It also does not know how many computers (or other devices) I have. The ISP should not care how many subnets I have (and if I got a big block of public IPv4 addresses, I could split them up in however many subnets I want and the ISP would not know, so, in my opinion, this part of IPv6 is a downgrade).
Actually you can not split a IPv4 subnet into smaller subnets if the ISP does not play along. I know, I have been there. The ISP gave me a/27 but refused to setup a route. That is they ran the router. So there you are with 29 usable addresses but with no control over the router you can not subnet. That was where I learned about the "invisible firewall" trick. Only way to do it when the ISP does not like you.
You will have exactly the same problem in many IPv6 setups. I fear many ISPs will simply run the router at their end exposing a/64 subnet that you are supposed to run with switches and no routers. It is the simplest way to setup after all.
There is a DHCPv6 option called prefix delegation that your router can use to fetch a subnet and which at the same time configures their router to route that prefix. Its just that it is one more thing to setup for the ISP so some might simply skip it. And not to sell extra IPs I fear, but simply because they are lazy.
Notice this is actually not directly related to the "network is always/64" issue. The problem is exactly the same no matter what size network they expose as long you do not get to configure a route either automatically or manually.
One example is transparent proxies. You want to connect to google.com, you actually connect to the proxy server. This can be useful for caching and also to make a login page for the network (a few providers use it) - when you first connect to the network you get the login page, later all your connections go to the intended destinations. This requires NAT.
Actually it doesn't. In Linux terms you need to the REDIRECT target in iptables. This should still be available for IPv6 although I have not tested it.
In general all the iptables targets should work with IPv6, but likely some of them are not implemented. The documentation is very light on details on what has been implemented and tested with IPv6. In theory even the various NAT targets should work. It is probable that this code has not been battle hardened as much as the IPv4 code but it will surely improve with time and usage.
Also, with NAT, I can make two physical servers appear as one, so, for example, example.com:80 goes to one server and example.com:21 goes to another. Or conversely, make example.com:80 and example1.com:80 go to different ports of the same server. This can be achieved with port forwarding without NAT, however, that makes all of the connections seem to originate from the device that does the port forwarding, which means that logging etc is less useful.
If and when iptables is up to speed this should also be possible. But the need for something like this will be much less. Often a setup like that is done to preserve IP addresses of which there is no need. Also each machine can have many addresses, so you are free to pick up a special address for your port forwarding service to improve logging.
As for subnets, they are easy to make parts of the network to not talk to each other, or at least the packets can be made to go trough a router which can also do filtering. For example, let's say I want to have an open wifi connection so anyone can use it. I would want to make it so the wireless user can access the internet but not my wired network. That I can do with firewalls, however, having one additional network card on my router is easier, but that requires that the wifi and the wired network be part of different subnets.
True and using subnets for this purpose will be the right thing to do. It is however possible to get around it using bridging instead.
Routing also allows me to use Layer 3 VPNs, so no broadcast packets go trough the tunnel, after all, whatever connection I am using to connect to the VPN might be very slow or capped.
No broadcasts, only multicast that is filtered. You should be able to keep unwanted traffic down to same levels as with a routed setup. This is not to say that you should not be using routing for such a setup, but if you can not because your ISP is playing stupid, the alternative is not so bad.
IPv6 replaces broadcasts with multicast and implements multicast on an ethernet level so a proper network does not propagate multicast packets to ports with no subscribers to that multicast group.
Which means that my switches might not work with IPv6, or at least may not work correctly. Hubs forward packets to everyone anyway, so there would be no difference.
Actually ethernet switches already implement the mechanism used. It is a special kind of MAC address that is part of the ethernet standard. They use the last 24 bits of the multicast group in the MAC address so the switch can learn which ports have listeners for that group. You do need to run a special daemon called MRD on your network though. MRD would typically run on your router, or you can run it on any Linux machine. Without MRD the multicast will fallback to act like broadcasts.
Some are using layered NATs but mostly because that is the default on many wireless routers and not because they made a decision about i
Slashdot Mirror
You are grouping ADSL lines and Ethernet UTP cables together like they were the same thing. They are not. Try patching 4 phone lines together in a couple of RJ-45 connectors and see if you can even get 10 Mbit ethernet working properly... and I mean working properly... not just link and small ping packets. Try to copy a big file over and see what happens.
This works and was in fact not uncommon. You only need two phone lines because 10/100 Mbit/s ethernet only uses two pairs. It was designed so you could reuse existing wiring in buildings to do this.
Just that you are using 10Gbit patch cords as an example to say ADSL is better than cable proves my point.
10Gbit cables are in no way similar to standard phone line cables.
Of course they are similar. Unshielded twisted pair. Phone lines are called CAT-3 while ethernet (up to gigabit) uses CAT-5. Same cable type except ethernet is done with higher quality. Ethernet will for short runs work on CAT-3.
Try another route - why do you think 10 Mbit/s coax ethernet stopped right there and unshielded twisted pair went all the way to 10 Gbit/s and soon also 40 Gbit/s?
Maybe I just didn't get your point. You seemed to insinuate that coax based network such as cable and 10 Mbit/s coaxial ethernet had lower noise and higher bandwidth than unshielded twisted pair networking such as ADSL and UTP (unshielded twisted pair) based ethernet. You told him to go read a book about that very point. But in fact coax cables are unsuited for long runs with very high frequency signals. The attenuation is too much for it to be practical. You will never get the gigabit speeds of UTP on a coax based network.
Do you mind telling what ISP this is? It sounds like a good case to point to in future debates.
Also what router do you have? Not all "IPv6 enabled" routers are so mature as the one you are describing.
Your router would probably not be dishing out a /60. All link subnets should be /64 so the router should pick the first /64 from your /60 and announce that on your local network. A /60 gives you 16 /64 networks and the remaining 15 are still available for your use. How exactly you use those 15 nets are where the "mature" of the IPv6 in home routers come in. I believe many routers simply have no way of using the extra nets.
Prefix delegation can be used to hand over one or more /64 nets to other routers on your network. It would not do anything for hosts. But say you have a wireless router and you want the wireless network to be on a separate /64, the prefix delegation is one way to configure that. What I have yet to see is a practical implementation of this. Even with PD there needs to be some way to control how many nets to delegate to which router etc - does your router have such sophisticated controls?
Local multicast is in the ff02::/32 range so your public subnet does not matter for that.
However your link subnet needs to be exactly /64 otherwise neither DHCPv6 nor stateless autoconfig will work and mobile IPv6 breaks among other things.
That you should get a /48 just means you get a large number of /64's for your use.
Many ISPs might not go with the /48 and allocate a smaller number of nets to each user. But even the worst ISP could not go lower than one whole /64 or they would have the support nightmare of guiding all users through manual configuration.
Do you even understand how the technology behind each option works?
Or on a lower level. Do you know the difference between a stardard phone cable and a coaxial cable and how that affects signal quality and available bandwidth?
Do you?
10 Gbit/s networking is delivered on twisted pair cabling, not coaxial. Granted better quality cabling and with four pairs instead of just one. The limits of ADSL is more because of poor wire quality and long wire runs than any limits of twisted pair vs coaxial.
ADSL has the distinct quality that you are not on shared bandwidth. Cable might be able to go slighly higher but you have to share with your neighbors. Which might be why cable intense USA have all the ISPs implementing download limits while ADSL intense Europe has free download as a rule.
In my country over 90% of the population has the option to buy 50 Mbit/s ADSL. A budget ADSL is typically 10 Mbit/s and the average ADSL is probably around 20 Mbit/s. This is not worse than what you typically can get from cable.
Therefore the conclusion is clear: Games/sites that ask the user to choose internet connection speed with the ranking Cable > ADSL > dialup is pretty stupid. Just ask the user how many Mbit/s he got (or measure it).
99.9% of mobile devices would be quite happy behind NAT.
No. Being behind NAT means the mobile device has to pull for messages. This means it will be slow at detecting new messages and it creates unnecessary traffic (expensive).
It also breaks the usual stuff - SIP (what, you don't want free internet calling just because it is a mobile device?). RTP (you don't want to watch video?).
In fact it seems there is perhaps more new inventive service that could be build on the open peer to peer network of IPv6 with mobile devices communicating directly with each other.
Before you go on the usual "but we have NAT hacks that allow some of that stuff to work anyway!", please learn a bit more about IPv6. It is more than just an extra long address field. For example there is something called Mobile IPv6 which could come in very handy for mobile devices. Also IPv6 multicasting is much improved - why, you could broadcast to the world directly from your camera phone.
Certs are no longer $100/yr, if you shop around a little. Trustico has provided perfectly functional certs for $20/yr for a long time (with discounts for multi-year purchases). I've been using them for several years. For a blog that has very cheap hosting, even the $20 doesn't necessarily make sense.
Startssl does it for free: http://startssl.com/
If the browser is modern enough it knows about IPv6, and knows you don't have IPv6 on the current computer, it occurs to me that the browser could potentially be made smart enough (through a plugin/addon) to automatically rewrite the IPv6 URL as an IPv6 DNS name, on-the-fly.
Or you could just configure the browser with a HTTP proxy. This is already supported by all major browsers and solves the IPv6 problem completely. Still requires the user to change his setup though.
Just because you can't think of a solution, doesn't mean that one does not exist. It just means you haven't thought of it yet.
Perhabs a bit arrogant saying considering that the whole world has been thinking of this for the past 10 years, and you think you can just come up with an easy solution, right here on slashdot, that nobody thought of before?
If the initial contact was made by DNS you are correct that a mapping could be made. That was why I asked you how to resolve an URL that did _not_ contain a DNS name. This needs to work on an unmodified IPv4 computer - and can of course not be done. Someone could setup a DNS name that resolves to the address I gave you, but that would not fix the link. Your browser would not know to go to that name. In fact your browser would know that it was a IPv6 link and that this computer does not have IPv6 and not even try.
The internet is not just web. Lots of protocols out there doing stuff you have no control over. Take a bittorrent client as an example. Bittorrent does not use DNS, but it connects to hundreds if not thousands of IP addresses that it learns about from other hosts, sometimes using encrypted communication. There is simply no way to set up mappings, neither automatic nor manually. Your IPv4 only computer will have to avoid connecting to the IPv6 hosts it learns about. It might get stuck on a download it would otherwise be able to complete if it could communicate with the IPv6 only seed.
The problem you are trying to solve is usually called 4to6. There was even an RFC on it using exactly the DNS mapping idea. The problem with it is that it solves the wrong problem. The first to be on IPv6 only hosts are going to be those bittorrent seeds and not some website that has a DNS record. Nobody would be crazy enough to set up a website with only IPv6 for many years to come.
So how is your computer going to access this URL? http ://[2001:470:1f12:73::2]/ (remove the space after http - slashdot is not exactly IPv6 compatible and gets confused).
Your computer has no way of translating that IPv6 address into something in the 10.0.0.0/8 range.
There is no way IPv4 only hosts are ever going to access content on the IPv6 network.
IPv6 hosts will always be able to access IPv4 content through the numerous transition technologies available.
You need to lookup IPv6 privacy extension. Your computer changes IP every other hour or so. What good will a log file with old stale no longer used addresses be?
If you want to run a web server on a domain name, then you need to be in DNS sure. That is not the majority of people.
If you want to run a bittorrent client you do not need to be using the same IP that you did yesterday.
What about 6to4 with anycast?
The problem with 6to4 is that it is asymmetric. Your outgoing packets will be going through that 192.88.99.1 node you found by traceroute. But your return packets will be going through whatever gateway is closest to the IPv6 host you are accessing.
This means that you will be using a lot of different gateways all around the world. And a lot of those are badly configured and give poor quality. One usual problem is badly configured MTU such that all larger packets do not make it through. Ping will work but any actual download fails.
The 6rd protocol is a small tweak to 6to4 such that the return gateway is forced to be one operated by your ISP. This way the ISP can ensure it is working properly and give you a good experience.
Right.
So the basis of everything being secure is that what is today, is not tomorrow.
Not quite. Did you read and understand the simple calculation I did for you, the one that predicts 5 million years to scan a 100 Mbps connection? Nothing is going to change that. Of course at some time you might get a gigabit connection and then it only takes 500.000 years to do a scan. And that is if the attacker already knows your subnet, if not he has to scan 128 bits of address space. My calculator melted when I tried to calculate how many years that would take (*).
If my local network needs to change on a daily basis in order to be "secure," you can count me out.
Not "if". It already does if you are using Windows 7. Privacy extensions are enabled by default.
NAT it is. (And, remember: While NAT doesn't mean "firewall," every single common implementation of it in these modern times includes an ingress firewall by default.)
Sorry to enlightening you, but no, the most common NAT implementations do not firewall. Look up http://en.wikipedia.org/wiki/Symmetric_NAT#Types_of_NAT
Only "symmetric NAT" does the firewall function, but it is also the least popular type of NAT. Both because it is harder to implement and because users hate it since NAT traversal does not work with it. None of the popular SOHO routers implement symmetric NAT.
The other three types of NAT all allow communication from third parties not previously established from the inside. Exactly the same as you are able to communicate with an IPv6 peer if you somehow know the address. In the NAT case you just need the address and the port, but combined these are 48 bits of information much less than the 128 bits needed to scan IPv6.
If you already know the IP there is only a space of 16 bits to scan to check for other services to exploit. This might be a bittorrent client that does a quick check on the remote peers to check if they are also running a vulnerable piece of software such a Voice over IP application.
Sorry to say it, but the real reason we are no longer seeing large waves of Blaster attacks is that no common operative system is vulnerable to network attacks like that anymore. Even windows comes with all ports blocked by the buildin firewall by default.
(*) of course you could reduce the search space by looking up what IP ranges have been assigned to ISPs and so forth, but the number is still insane. Even a small ISP is assigned 32 bits of subnet space to search, so to search one small ISP you need to search 96 bits.
It is obscure. You can keep saying it's not, but it nonetheless is. (You do the dictionary look-up on that word as homework.)
Ok, I assume we will be looking in a computer science dictionary, lets just take Wikipedia on the subject: http://en.wikipedia.org/wiki/Security_by_obscurity
Quote: Security through (or by) obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security.
What we are discussing here can never be obscure by definition. If it was we would not know how it worked since that would be the secret.
Combine the tenacity of something like Blaster with the fact that random generally isn't, and such software will land somewhere. Furthermore, I think you genuinely underestimate the number of folks downloading and running such niceties as "FREE Registry Cleaner 9000" and the "OMG PONIES!!!" screensaver, which allows a fair number of seed nodes out of the gate. (I made those names up. You get the point.)
Actually I do not get the point. In fact it seems you are missing it too. People that install malware are not protected by NAT are they now?
And, of course: Nevermind the fact that such a routeable address will not exactly be secret to begin with: In the absence of NAT, whatever host(s) you communicate with will know this address, and it will no longer be obscure.
The worms I commented on did in fact scan the net at random and did not limit the scan to hosts the client already had a relation to. Being such limited will delay spreading in a drastic way. Back in the day you could not install Windows on a net connected machine, it would be compromised before you had a chance to download the patches. This would not happen with IPv6 because scanning is not feasible and the machine would only make outgoing connections to Microsoft and other large sites that can be assumed not to be infested with worms.
Given enough datamining on a popular and compromised/ill-intended sites, and producing rather complete maps of an individual's home subnet should be practical.
No that would give you old useless data. Knowing what your subnet was like yesterday does not give you any ability to find machines today.
... but it will fail for someone.
So, if we're cannot rely on obscurity by itself, then we'll have to rely on firewalls.
You need to know what privacy extensions protect against. It protects against making scanning feasible and against tracking. But it is not a firewall and is not meant to be one. Just like NAT is not a firewall.
I commented only on the claim that worms could spread on IPv6 like in the old days before NAT, and I stand by that they can not. Those old worms depended on the ability to scan which is not practical with 64 bit subnets.
Yes. And 40-bit SSL should be enough for anybody.
Er. Uh. I mean to say: "It's really, really obscure! So it must be safe!"
Say again? It is not obscure, it is a mathematical property from the fact that 2^40 is not a very large number but 2^64 is.
How long does it take to scan your subnet? It is easy to calculate, take an average ADSL home connection that is 10/1 Mbps. An IPv6 echo request ping packet is 118 bytes. Packets per second: 10,000,000 / 118 / 8 = 10593. Seconds to complete scan: 2^64 / 10593 = 1,741,408,861,862,508 seconds. Or 55,219,712 years.
Of course 55 million years is the time for someone to scan you. If you have the worm and is doing the scanning the upstream bandwidth would be the limiting factor. So it would take you 10 timers longer for you to scan _one_ guy (*).
Really - how effective do you think this worm would be at spreading like that?
And before you come screaming "I got 100/100 fiber to the home superconnection", ok so for you it will only take 5 million years to complete a scan of your network.
Add to that the fact that you are changing your address every hour by random, so with a very high probability it will never find your address even given million of years.
(*) assuming this guy only has a /64. Given that ISPs are supposed to give people /56 or /48, you do that math as homework.
dd-wrt is very lacking in IPv6 as well. There is no UI for it, it only supports tunneling, it is broken, etc.
I have made it work by writting my own shell scripts for it. But there seems to be no way to get a subnet by prefix deligation, not even if you are able to write scripts yourself.
Remember Sasser? Or Blaster? Self propagating worms that went screaming over the internet in part *because* of poorly firewalled networking and publicly exposed services such as RPC. That doesn't happen with NAT
It does not happen with IPv6 either because the address space is too large to search at random. You need to somehow know the address of your peer or you will never guess it.
Subnets are always 64 bits and that is just too large a space to search. If the user is using privacy extensions, he will change addresses every few hours, randomizing the last 64 bits of his address. Even peers that you have communicated with in the past can not guess what your current address is.
I am betting you dont have the latest firmware. I have a wrt610n and the latest firmware for that router disables ipv6.
No it does not. The latest firmware enables a firewall on IPv6 that blocks all inbound connections. You can still do outbound IPv6 connections. They left out any way to control this firewall.
Btw, this "ipv6" is only 6to4 tunneling, not native IPv6.
This is probably the 6to4 tunnel technology that is working for you. Linksys enabled that by default starting with the W610N router.
They still lack support for native IPv6 on the WAN side. So even if your ISP deployes native IPv6 you will not be able to take advantage of it. Instead you will still be surfing on a tunnel technology that does not always work as well.
But if I capture a packet that is going to google.com I see this:
Source IP: internal IP of my PC.
Destination IP: the IP of google.com
Source MAC: MAC of my PC
Destination MAC: MAC of my router
Exactly. How did it know to use the MAC of your router? That came from the default route. Had you specified a different IP as default route it would be using the MAC associated with that IP address.
A local subnet means the router will try to lookup the MAC address of an IP address using ARP.
A non-local subnet means the router instead will lookup the MAC associated with the IP address of the gateway specified and send the packet to that MAC. It will not modify the headers so you will not see the gw IP as "destination IP" in the packet.
So in the /27 case I told about, the ISP router would consider my subnet as local and therefore try to deliver directly to hosts by doing ARP lookups on all addresses in the subnet. If I wanted to split my subnet I would need the ISP router to send to my router instead of sending directly to hosts on the subnet.
The packets only get picked up by your router if they are routed to the routers IP address.
Maybe you meant MAC address. I am sure than when i go to google.com, my PC sends a packet with the source IP as its own and destination IP as the one for Google and my router picks it up, sends it out the other interface (and changes the source IP to the external one, since I am using NAT).
Your router only picks it up because your computer has the router IP listed as "default gateway". Try changing default gateway to something that is not your router IP and see what happens. Hint: you lose contact with the internet but retain the ability to communicate with any local devices including the router.
Also, I thought that the "gw" parameter for the route command was only useful when there was more than one router on the same interface, for example:
route add -net net1 netmask mask gw 192.168.0.1 dev interface
route add -net net2 netmask mask gw 192.168.0.2 dev interface
Now packets going to net2 will go to .0.2 and packets going to net1 will go to .0.1 that are both connected to the same interface.
I really want to try this, but as I cannot, I'll take your word for it, that it did not work.
In IPv4 there is no such thing as automatically detecting a router so you always need to specify the IP using the gw. IPv6 actually has automatic router discovery although I say the jury is still voting on how useful that is.
Using "gw" means "this subnet is not local, you need to send it to that guy, he knows how to deliver it". Leaving out "gw" mean this subnet is local so you can deliver it directly to host machines on the local ethernet.
So wait, standard policy will be for all devices to be publicly accessible from the internet, with its *device-unique* IP Address exposing the HW (MAC) address of the device, with no ability to shield machines from publicly broadcasting their existence so that it becomes trivial to isolate each individual device's traffic, no ability to block this behavior, no ability to segment the network or have any devices that aren't publicly accessible.
This is better, how?
Windows 7 by standard uses privacy extensions which means it is changing address once an hour or so. Instead of using MAC it simply makes up a new random address.
This means you can not track it by IP, any learned IPs become useless shortly, etc.
If you also want an IP that does not change you just add that. The random address will be used by default for outgoing traffic while you use your custom static address if you want to setup a server of some kind.
To have devices that are not publicly accessible you use a firewall.
The no ability to segment network traffic comes from the assumption that ISP are going to break the design by only assigning a /64 instead of a /56 or /48 as they are supposed to. I believe that when all the mess clears up most ISPs will be assigning /56 and this is a non issue.
OK, let's see if I understand this correctly. The ISP assigned you a /27, so it means that the route is set up as "your.ip/27 goes to your.interface", that is, all packets destined to your subnet would come to you. Now, if you placed a router at your side of the cable, why were you unable to configure it to route the incoming packets to watever part of your network they were supposed to go? The routes on your router should be something like "ip/29 goes to interface1; ip2/29 goes to interface2; everything else goes to the ISP".
The packets only get picked up by your router if they are routed to the routers IP address. Just being on the right ethernet segment is not enough.
"your.ip/27 goes to your.interface" yes but it needs to be "your.ip/27 goes to your.interface with your router IP as gateway".
The ISP did:
route add -net my-net netmask my-mask dev my-interface
But they need to do:
route add -net my-net netmask my-mask gw my-router dev my-interface
As it is now, I can have a lot of subnets, routing, redirections and anything else, and my ISP has no say in it, actually, it does not know what I am doing inside the network. It also does not know how many computers (or other devices) I have. The ISP should not care how many subnets I have (and if I got a big block of public IPv4 addresses, I could split them up in however many subnets I want and the ISP would not know, so, in my opinion, this part of IPv6 is a downgrade).
Actually you can not split a IPv4 subnet into smaller subnets if the ISP does not play along. I know, I have been there. The ISP gave me a /27 but refused to setup a route. That is they ran the router. So there you are with 29 usable addresses but with no control over the router you can not subnet. That was where I learned about the "invisible firewall" trick. Only way to do it when the ISP does not like you.
You will have exactly the same problem in many IPv6 setups. I fear many ISPs will simply run the router at their end exposing a /64 subnet that you are supposed to run with switches and no routers. It is the simplest way to setup after all.
There is a DHCPv6 option called prefix delegation that your router can use to fetch a subnet and which at the same time configures their router to route that prefix. Its just that it is one more thing to setup for the ISP so some might simply skip it. And not to sell extra IPs I fear, but simply because they are lazy.
Notice this is actually not directly related to the "network is always /64" issue. The problem is exactly the same no matter what size network they expose as long you do not get to configure a route either automatically or manually.
One example is transparent proxies. You want to connect to google.com, you actually connect to the proxy server. This can be useful for caching and also to make a login page for the network (a few providers use it) - when you first connect to the network you get the login page, later all your connections go to the intended destinations. This requires NAT.
Actually it doesn't. In Linux terms you need to the REDIRECT target in iptables. This should still be available for IPv6 although I have not tested it.
In general all the iptables targets should work with IPv6, but likely some of them are not implemented. The documentation is very light on details on what has been implemented and tested with IPv6. In theory even the various NAT targets should work. It is probable that this code has not been battle hardened as much as the IPv4 code but it will surely improve with time and usage.
Also, with NAT, I can make two physical servers appear as one, so, for example, example.com:80 goes to one server and example.com:21 goes to another. Or conversely, make example.com:80 and example1.com:80 go to different ports of the same server. This can be achieved with port forwarding without NAT, however, that makes all of the connections seem to originate from the device that does the port forwarding, which means that logging etc is less useful.
If and when iptables is up to speed this should also be possible. But the need for something like this will be much less. Often a setup like that is done to preserve IP addresses of which there is no need. Also each machine can have many addresses, so you are free to pick up a special address for your port forwarding service to improve logging.
As for subnets, they are easy to make parts of the network to not talk to each other, or at least the packets can be made to go trough a router which can also do filtering. For example, let's say I want to have an open wifi connection so anyone can use it. I would want to make it so the wireless user can access the internet but not my wired network. That I can do with firewalls, however, having one additional network card on my router is easier, but that requires that the wifi and the wired network be part of different subnets.
True and using subnets for this purpose will be the right thing to do. It is however possible to get around it using bridging instead.
Routing also allows me to use Layer 3 VPNs, so no broadcast packets go trough the tunnel, after all, whatever connection I am using to connect to the VPN might be very slow or capped.
No broadcasts, only multicast that is filtered. You should be able to keep unwanted traffic down to same levels as with a routed setup. This is not to say that you should not be using routing for such a setup, but if you can not because your ISP is playing stupid, the alternative is not so bad.
IPv6 replaces broadcasts with multicast and implements multicast on an ethernet level so a proper network does not propagate multicast packets to ports with no subscribers to that multicast group.
Which means that my switches might not work with IPv6, or at least may not work correctly. Hubs forward packets to everyone anyway, so there would be no difference.
Actually ethernet switches already implement the mechanism used. It is a special kind of MAC address that is part of the ethernet standard. They use the last 24 bits of the multicast group in the MAC address so the switch can learn which ports have listeners for that group. You do need to run a special daemon called MRD on your network though. MRD would typically run on your router, or you can run it on any Linux machine. Without MRD the multicast will fallback to act like broadcasts.
Some are using layered NATs but mostly because that is the default on many wireless routers and not because they made a decision about i