We don't talk about IPv5
-
I know it's a joke, but the idea that NAT has any business existing makes me angry. It's a hack that causes real headaches for network admins and protocol design. The effects are mostly hidden from end users because those two groups have twisted things in knots to make sure end users don't notice too much. The Internet is more centralized and controlled because of it.
No, it is not a security feature. That's a laughable claim that shows you shouldn't be allowed near a firewall.
Fortunately, Google reports that IPv6 adoption is close to cracking 50%.
You are right, but I wish ipv6 was less shitty of a replacement.
-
In my personal life I will probably "never" intentionally use ipv6.
But it is a DAMNED good sniff test to figure out if an IT/NT team is too dumb to live BEFORE they break your entire infrastructure. If they insist that the single most important thing is to turn it off on every machine? They better have a real good reason other than "it's hard"
It’s vulnerable af. And I mean really, it’s as bad as Netscalers or Fortigate shit. Like https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/ or https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/
Problem is, yes it’s hard to implement but it’s even a lot harder to get it properly secured. Especially because few people are using it, and not securing it is worse than disabling it.
-
You are right, but I wish ipv6 was less shitty of a replacement.
There is something there, but mostly I think existing net admins try to map their existing IPv4 knowledge onto IPv6. That doesn't work very well. It needs to be treated as its own thing.
-
It’s vulnerable af. And I mean really, it’s as bad as Netscalers or Fortigate shit. Like https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/ or https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/
Problem is, yes it’s hard to implement but it’s even a lot harder to get it properly secured. Especially because few people are using it, and not securing it is worse than disabling it.
And I would consider a detailed argument on why it is more secure to disable it to be a good reason.
Personally? I consider an IT team who don't know how to secure an ipv6 enabled network to not be competent. But that is a different conversation.
-
This post did not contain any content.
I know its a joke but man its annoying to go from something that is organized in a human readable way to one where you have to rely on the system. I am someone who hates databases though so I have always been like this. Heck way back in the aughts I used to complain that my job involved more seeing and issues and fixing it and the systems were getting to were I feel more like im counseling it.
-
And I would consider a detailed argument on why it is more secure to disable it to be a good reason.
Personally? I consider an IT team who don't know how to secure an ipv6 enabled network to not be competent. But that is a different conversation.
Yeah, I run dual stack without much trouble myself. I believe it is mainly difficult for people because eyeball diagnostics are impossible with 6.
-
This post did not contain any content.
C’mon, IPv4 has so many problems. Sure, let’s reserve a whole /8 for a single loopback address, that’s efficient.
-
This post did not contain any content.
CGNATs suck ass though, I had to buy a vps just to access my own network outside my home.
-
It’s vulnerable af. And I mean really, it’s as bad as Netscalers or Fortigate shit. Like https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/ or https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/
Problem is, yes it’s hard to implement but it’s even a lot harder to get it properly secured. Especially because few people are using it, and not securing it is worse than disabling it.
Just a heads up, you linked to the same article twice
-
In my personal life I will probably "never" intentionally use ipv6.
But it is a DAMNED good sniff test to figure out if an IT/NT team is too dumb to live BEFORE they break your entire infrastructure. If they insist that the single most important thing is to turn it off on every machine? They better have a real good reason other than "it's hard"
Realistically no organization has so many endpoints that they need IPv6 on their internal networks. There's no reason to deal with more complicated addressing schemes except on the public Internet. Only the border devices should be using IPv6.
Hopefully if an organization has remote endpoints which are connecting to the internal network over the Internet, they are doing that through a VPN and can still just be assigned IPv4 addresses on dedicated VLANs when they connect.
-
You are right, but I wish ipv6 was less shitty of a replacement.
I worked with one of the inventors of IPv6 for a bit of time, and I think knowing Carl really gave me an insight into who IPv6 was invented for, and that's the big, big, big networks — peering groups that connect large swaths of the Internet with other nations' municipal or public infrastructure.
These groups are pushing petabytes of data every hour, and as a result, I think it makes their strategists think VERY big picture. From what I've seen, IPv6 addresses very real logistical problems you only see with IPv4 when you're already dealing with it on a galactic scale. So, I personally have no doubt that IPv6 is necessary and that the theory is sound.
However, this fuckin' half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.
Imo there's not much to be done besides go forward with IPv6. It's there, it's tested, it's basically ready for primetime in terms of NIC chip support... I just wish it weren't so obtuse to learn.
-
C’mon, IPv4 has so many problems. Sure, let’s reserve a whole /8 for a single loopback address, that’s efficient.
Well of course, how else would you trick script kiddies that figured out when they DDOSed 127.0.0.1 and learned what a loop back was, and get them again in a few weeks with "ok ok my real address is 127.34.21.2"
-
You are right, but I wish ipv6 was less shitty of a replacement.
Nah. You're just too stupid to understand the internet is designed to be used with DNS. The people who design these protocols and operate the networks that form the internet have no issues with DNS and don't care that you don't understand.
-
I know it's a joke, but the idea that NAT has any business existing makes me angry. It's a hack that causes real headaches for network admins and protocol design. The effects are mostly hidden from end users because those two groups have twisted things in knots to make sure end users don't notice too much. The Internet is more centralized and controlled because of it.
No, it is not a security feature. That's a laughable claim that shows you shouldn't be allowed near a firewall.
Fortunately, Google reports that IPv6 adoption is close to cracking 50%.
My isp and router both claim to have IPv6 but every test site has failed.
-
I use IPv6 every day and everywhere I can. It solves so many issues in large corporate and ISP network setups. And yes 10. Wasn’t big enough, and NATing is a PitA.
Honestly we just keep pushing it off when it’s not that bad. Workaround after workaround just because people are lazy.
How much slack did you have in your 10.* network? Or was it literally 16.7 million devices?
-
Realistically no organization has so many endpoints that they need IPv6 on their internal networks. There's no reason to deal with more complicated addressing schemes except on the public Internet. Only the border devices should be using IPv6.
Hopefully if an organization has remote endpoints which are connecting to the internal network over the Internet, they are doing that through a VPN and can still just be assigned IPv4 addresses on dedicated VLANs when they connect.
If you don't have ipv6 internally, you probably can't access ipv6 externally. 6to4 gateways are a thing. 4to6? Not so much.
And this is why ipv6 will ultimately take another 20 years for full coverage. If it was more backwards compatible from the starting address-wise then this would all have been smoother. Should have stuck with point separators. Should have assumed zero padding for v4 style addresses rather than a prefix
-
Well of course, how else would you trick script kiddies that figured out when they DDOSed 127.0.0.1 and learned what a loop back was, and get them again in a few weeks with "ok ok my real address is 127.34.21.2"
Wait... I know 127.0.0.1 but what's the second one?
-
This post did not contain any content.wrote on last edited by [email protected]
Skill issue
IPv6 is easy to do.
2000::/3 is the internet range
fc00::/7 is the private network range (for non routing v6)
fe80::/64 is link local (like apipa but it never changes)
::1/128 is loopback
/64 is the smallest network allocation, and you still have 64 bits left for devices.
You don't need NAT when you can just do firewalling - default drop new connections on inbound wan and allow established, related on outbound wan like any IPv4 firewall does.
Use DHCPv6 and Prefix Delegation (DHCPv6-PD) to get your subnets and addresses (ask for a /60 on the wan to get 16 subnets).
Hook up to your printer using ipv6 link local address - that address never changes on its own, and now you don't have to play the static ip game to connect to it after changing your router or net config.
The real holdup is ISPs getting ultra cheap routers that use stupid network allocation systems (AT&T) that are incompat with the elegant simplicity of prefix delegation and dhcp.
-
I know its a joke but man its annoying to go from something that is organized in a human readable way to one where you have to rely on the system. I am someone who hates databases though so I have always been like this. Heck way back in the aughts I used to complain that my job involved more seeing and issues and fixing it and the systems were getting to were I feel more like im counseling it.
wrote on last edited by [email protected]I do like how I can easily remember IPv4 addresses while I struggle to remember a single IPv6 address
-
Nah. You're just too stupid to understand the internet is designed to be used with DNS. The people who design these protocols and operate the networks that form the internet have no issues with DNS and don't care that you don't understand.
Funny how I never once criticized, or even mentioned, IPv6s complexity, yet that is the aspect you chose to so valiantly defend. Quite telling, isn’t it?
