We don't talk about IPv5
-
And I would consider a detailed argument on why it is more secure to disable it to be a good reason.
Personally? I consider an IT team who don't know how to secure an ipv6 enabled network to not be competent. But that is a different conversation.
My detailed explanation at my old job is that the dev team was full of idiots who hardcoded ipv4 addresses into their fucking code. Seriously. When we migrated from data center to cloud they had to go patch everything. The CTO wouldn't do shit about it and the director was just there riding things out until retirement.
-
Skill issue
IPv6 is easy to do.
2000::/3 is the internet range
fc00::/7 is the private network range (for non routing v6)
fe80::/64 is link local (like apipa but it never changes)
::1/128 is loopback
/64 is the smallest network allocation, and you still have 64 bits left for devices.
You don't need NAT when you can just do firewalling - default drop new connections on inbound wan and allow established, related on outbound wan like any IPv4 firewall does.
Use DHCPv6 and Prefix Delegation (DHCPv6-PD) to get your subnets and addresses (ask for a /60 on the wan to get 16 subnets).
Hook up to your printer using ipv6 link local address - that address never changes on its own, and now you don't have to play the static ip game to connect to it after changing your router or net config.
The real holdup is ISPs getting ultra cheap routers that use stupid network allocation systems (AT&T) that are incompat with the elegant simplicity of prefix delegation and dhcp.
wrote on last edited by [email protected]On my home network I make sure that my PDs are the same as my VLAN IDs so that I can at least know where a device is based on its IP. If I was smart I would also line them up with the IPv4 subnets as well.
-
If you set up your DNS correctly then you don't even need the IPs. Just give devices unique, human-readable names and maybe do separate sub-domains for each site or something.
For that to work industrial devices have to support DNS in the first place…
-
For that to work industrial devices have to support DNS in the first place…
Oh, now that you mention it I've never tried to map a static DNS entry to a device without DNS. Welp, time to get thousands of raspberry pi's to act as IP KVMs!
-
I've recently changed isp and am now hitting CGNAT problems. I have been running Nextcloudpi for years and now I can't access it from outside.
I've trying to understand if I can fix the problem using IPv6 but from what you've said I'm now wondering if a vps is the solution?I deal with cgnat on my 2 isps at home. Install tailscale on your vps and your router at home and then on your router you can share subnet devices over your tailscale network. Install a reverse proxy on your vps.
If set up correctly you can route a human readable web address (jellyfin.example.com) to your vps static ip address and then to, for example, a docker container with local address 192.168.100.1:8096, via reverse proxy.
-
This post did not contain any content.
Meh, the idea of having every address be globally routable makes a lot of sense. NAT is a great bandaid but it's still a bandaid. It still limits how peer to peer and multicast applications function, especially on larger networks.
-
That's nothing that can't be done with a good set of firewalls on IPv6.
The one thing you can't do with IPv6 is yell the address across the room to the technician plugged into the switch trying to ping the node.
-
it's not a browser extension, its a SLAAC thing https://www.internetsociety.org/resources/deploy360/2014/privacy-extensions-for-ipv6-slaac.
TL;DR is that SLAAC used to use part of your device MAC to form it's IP, which would be trackable/fingerprintable. Now devices just pick the last 48-bits at complete random on the assumption that no other device is going to have that specific address out of the 4 quintilion available addresses.
edit the RFC https://datatracker.ietf.org/doc/html/rfc4941
Thanks, might have to try that sometime.
-
This post did not contain any content.
An ipv6 address turns my brains thinking center off. Short circuit at how fucking stupid it looks.
-
This post did not contain any content.
The reason IPv6 was originally added to the DOCSIS specs, over 20 years ago, is because Comcast literally exhausted all RFC1918 addresses on their modem management networks.
My favourite feature of IPv6 is networks, and hosts therein, can have multiple prefixes and addresses as a core function. I use it to expose local functions on only ULA addresses, but provide locked down public access when and where needed. Access separation is handled at the IP stack, with IPv4 it’s expected to be handled by a firewall or equivalent.
-
Meh, the idea of having every address be globally routable makes a lot of sense. NAT is a great bandaid but it's still a bandaid. It still limits how peer to peer and multicast applications function, especially on larger networks.
wrote on last edited by [email protected]NAT444 is shit. I can't even host a web server without routing it through a VPN, and my ISP can't work out how to provide an IPv6 addresses yet. Give it to me and I will work out how to use it.
Slight update - Just looked and apparently they had a goal of rolling out IPv6 addresses to all customers by earlier this year. I'll check my router config tomorrow and who knows. Maybe I will be able to get one now? Would be pretty sweet.
-
The reason IPv6 was originally added to the DOCSIS specs, over 20 years ago, is because Comcast literally exhausted all RFC1918 addresses on their modem management networks.
My favourite feature of IPv6 is networks, and hosts therein, can have multiple prefixes and addresses as a core function. I use it to expose local functions on only ULA addresses, but provide locked down public access when and where needed. Access separation is handled at the IP stack, with IPv4 it’s expected to be handled by a firewall or equivalent.
I understand some of these words!
-
I think NAT is one reason why the internet is so centralized. If everyone had a static IP you could do all sorts of decentralized cool stuff.
Which is why IPv6 was created. Everything used to get a public routable IP. Large company’s such as ATT and IBM got a whole /8 to themselves. NAT made it so we did not run out of IP’s in the 2000’s
-
This post did not contain any content.
Hi I have no idea what I’m doing when it comes to networking. I have ipv6 off on my home network because I was scared of accidentally exposing things outside of my home network. I’m using Ubiquiti. Can someone give me/link me a crash course on how to setup ipv6 without introducing any security holes into my network? Maybe also a crash course in firewalls.
-
I wrote and ipv6 parser once.
Never again.
As in a regex or ..?
An ipv4 parser would also be sorta difficult.
you have to account for the fact that all the octets can be added to decimal: http://2130706433 (valid 127.0.0.1)
or the fact that octets can be in different formats: http://0x7F.0x0.0x0.0x1 (127.0.0.1)
or the fact that you can mix octet formats: http://0xC0.0250.0.1 (192.168.0.1)
-
This post did not contain any content.
Is this IPv5?
-
The reason IPv6 was originally added to the DOCSIS specs, over 20 years ago, is because Comcast literally exhausted all RFC1918 addresses on their modem management networks.
My favourite feature of IPv6 is networks, and hosts therein, can have multiple prefixes and addresses as a core function. I use it to expose local functions on only ULA addresses, but provide locked down public access when and where needed. Access separation is handled at the IP stack, with IPv4 it’s expected to be handled by a firewall or equivalent.
My favorite feature of IPv6 is that there are so many addresses available. Every single IPv4 address right now could have its own entire IPv4 range of addresses in IPv6. It's mind-boggling huge.
-
This post did not contain any content.
I love the flat earther energy in this
-
As in a regex or ..?
An ipv4 parser would also be sorta difficult.
you have to account for the fact that all the octets can be added to decimal: http://2130706433 (valid 127.0.0.1)
or the fact that octets can be in different formats: http://0x7F.0x0.0x0.0x1 (127.0.0.1)
or the fact that you can mix octet formats: http://0xC0.0250.0.1 (192.168.0.1)
Yeah a mix of regex and heuristics to validate before parsing
It was a long time ago now
It also had to parse ipv4 because they can be embedded (IIRC) and the different octet formats
-
This post did not contain any content.
Surely we can do better. Why not IPv10? That's 4 higher than 6!
