[opensuse] 11.3 and ssh X forwarding not working
ssh -X 192.168.1.2 from OS X, I get this warning from both the new 11.3 as well as the
Hi! Just upgraded my home server to 11.3. Normal mode for it is headless, but I cannot seem to get X to work over ssh. I really don't know where to look. So, here is what I have. I enabled sshd at the install phase (opened the firewall, but currently firewall is disabled altogether). Only change I did for the /etc/ssh/sshd_config was to add "AllowGroups ssh_users" (which includes me). Otherwise I noted that it already has "X11Forwarding yes" I login to the system from OS X or another older openSUSE with old openSUSE: Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. However, that doesn't appear if I log in from the older openSUSE and it doesn't seem to matter much as form the old server, this works great:
xclock &
However, from the new 11.3, all I get is "Error: Can't open display: " What is wrong with the sshd in 11.3? How to fix this? Thanks! -- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi again - solved this...
On Sun, Aug 1, 2010 at 1:15 PM, HG
Hi!
Just upgraded my home server to 11.3. Normal mode for it is headless, but I cannot seem to get X to work over ssh. I really don't know where to look. So, here is what I have. I enabled sshd at the install phase (opened the firewall, but currently firewall is disabled altogether). Only change I did for the /etc/ssh/sshd_config was to add "AllowGroups ssh_users" (which includes me). Otherwise I noted that it already has "X11Forwarding yes"
ssh -X 192.168.1.2 from OS X, I get this warning from both the new 11.3 as well as the
I login to the system from OS X or another older openSUSE with old openSUSE:
Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding.
However, that doesn't appear if I log in from the older openSUSE and it doesn't seem to matter much as form the old server, this works great:
xclock &
However, from the new 11.3, all I get is "Error: Can't open display: "
What is wrong with the sshd in 11.3? How to fix this?
Ok, so I really don't know what is wrong, but fix was this... first let's go back a little. I wrote that this is clean installation with minimum changes. Well, one of the change was that in Global Network settings, I removed the tick mark from "Enable IPv6" as the help said: "To disable IPv6, uncheck this option (...). If the IPv6 protocol is not used on your network, the response time can be faster." Well, AFAIK, I'm not using IPv6 and I think that my router is not supporting it (although, it might). However, seems that while SSH was completely fine otherwise working without IPv6, the X forwarding didn't work. Why? I have no idea. But that was the fix: I enabled it, rebooted and X started to work over SSH just as it should -- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi,
On Sun, Aug 1, 2010 at 6:13 PM, HG
Hi again - solved this...
On Sun, Aug 1, 2010 at 1:15 PM, HG
wrote: Hi!
Just upgraded my home server to 11.3. Normal mode for it is headless, but I cannot seem to get X to work over ssh. I really don't know where to look. So, here is what I have. I enabled sshd at the install phase (opened the firewall, but currently firewall is disabled altogether). Only change I did for the /etc/ssh/sshd_config was to add "AllowGroups ssh_users" (which includes me). Otherwise I noted that it already has "X11Forwarding yes"
ssh -X 192.168.1.2 from OS X, I get this warning from both the new 11.3 as well as the
I login to the system from OS X or another older openSUSE with old openSUSE:
Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding.
However, that doesn't appear if I log in from the older openSUSE and it doesn't seem to matter much as form the old server, this works great:
xclock &
However, from the new 11.3, all I get is "Error: Can't open display: "
What is wrong with the sshd in 11.3? How to fix this?
Ok, so I really don't know what is wrong, but fix was this... first let's go back a little. I wrote that this is clean installation with minimum changes. Well, one of the change was that in Global Network settings, I removed the tick mark from "Enable IPv6" as the help said: "To disable IPv6, uncheck this option (...). If the IPv6 protocol is not used on your network, the response time can be faster."
Well, AFAIK, I'm not using IPv6 and I think that my router is not supporting it (although, it might). However, seems that while SSH was completely fine otherwise working without IPv6, the X forwarding didn't work. Why? I have no idea. But that was the fix: I enabled it, rebooted and X started to work over SSH just as it should
I have IPv6 disabled on 11.3 and on 11.1 on different machine and have no problem with X forwarding (ssh -Y ...). One thing I noticed quite some time ago (I guess, it was 11.1) that when you disable IPv6 through Global Network Settings in Yast, the file /etc/hosts still have some IPv6 definitions for local hosts and some others. This caused some problems until I removed these entries from /etc/hosts manually. -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi!
On Sun, Aug 1, 2010 at 8:06 PM, Mark Goldstein
Hi,
On Sun, Aug 1, 2010 at 6:13 PM, HG
wrote: Hi again - solved this...
On Sun, Aug 1, 2010 at 1:15 PM, HG
wrote: Hi!
Just upgraded my home server to 11.3. Normal mode for it is headless, but I cannot seem to get X to work over ssh. I really don't know where to look. So, here is what I have. I enabled sshd at the install phase (opened the firewall, but currently firewall is disabled altogether). Only change I did for the /etc/ssh/sshd_config was to add "AllowGroups ssh_users" (which includes me). Otherwise I noted that it already has "X11Forwarding yes"
ssh -X 192.168.1.2 from OS X, I get this warning from both the new 11.3 as well as the
I login to the system from OS X or another older openSUSE with old openSUSE:
Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding.
However, that doesn't appear if I log in from the older openSUSE and it doesn't seem to matter much as form the old server, this works great:
xclock &
However, from the new 11.3, all I get is "Error: Can't open display: "
What is wrong with the sshd in 11.3? How to fix this?
Ok, so I really don't know what is wrong, but fix was this... first let's go back a little. I wrote that this is clean installation with minimum changes. Well, one of the change was that in Global Network settings, I removed the tick mark from "Enable IPv6" as the help said: "To disable IPv6, uncheck this option (...). If the IPv6 protocol is not used on your network, the response time can be faster."
Well, AFAIK, I'm not using IPv6 and I think that my router is not supporting it (although, it might). However, seems that while SSH was completely fine otherwise working without IPv6, the X forwarding didn't work. Why? I have no idea. But that was the fix: I enabled it, rebooted and X started to work over SSH just as it should
I have IPv6 disabled on 11.3 and on 11.1 on different machine and have no problem with X forwarding (ssh -Y ...).
One thing I noticed quite some time ago (I guess, it was 11.1) that when you disable IPv6 through Global Network Settings in Yast, the file /etc/hosts still have some IPv6 definitions for local hosts and some others. This caused some problems until I removed these entries from /etc/hosts manually.
I suspect that this is the case with 11.3 too. I was checking the hosts file and as I saw the IPv6 addresses there, I remembered that I had disabled that and therefore went and enabled it again. So, basically I think that disabling IPv6 breaks things and causes bugs to show, but I don't know why or how... I just leave it on for now. -- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, Aug 1, 2010 at 1:18 PM, HG
Hi!
On Sun, Aug 1, 2010 at 8:06 PM, Mark Goldstein
wrote: Hi,
On Sun, Aug 1, 2010 at 6:13 PM, HG
wrote: Hi again - solved this...
On Sun, Aug 1, 2010 at 1:15 PM, HG
wrote: Hi!
Just upgraded my home server to 11.3. Normal mode for it is headless, but I cannot seem to get X to work over ssh. I really don't know where to look. So, here is what I have. I enabled sshd at the install phase (opened the firewall, but currently firewall is disabled altogether). Only change I did for the /etc/ssh/sshd_config was to add "AllowGroups ssh_users" (which includes me). Otherwise I noted that it already has "X11Forwarding yes"
ssh -X 192.168.1.2 from OS X, I get this warning from both the new 11.3 as well as the
I login to the system from OS X or another older openSUSE with old openSUSE:
Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding.
However, that doesn't appear if I log in from the older openSUSE and it doesn't seem to matter much as form the old server, this works great:
xclock &
However, from the new 11.3, all I get is "Error: Can't open display: "
What is wrong with the sshd in 11.3? How to fix this?
Ok, so I really don't know what is wrong, but fix was this... first let's go back a little. I wrote that this is clean installation with minimum changes. Well, one of the change was that in Global Network settings, I removed the tick mark from "Enable IPv6" as the help said: "To disable IPv6, uncheck this option (...). If the IPv6 protocol is not used on your network, the response time can be faster."
Well, AFAIK, I'm not using IPv6 and I think that my router is not supporting it (although, it might). However, seems that while SSH was completely fine otherwise working without IPv6, the X forwarding didn't work. Why? I have no idea. But that was the fix: I enabled it, rebooted and X started to work over SSH just as it should
I have IPv6 disabled on 11.3 and on 11.1 on different machine and have no problem with X forwarding (ssh -Y ...).
One thing I noticed quite some time ago (I guess, it was 11.1) that when you disable IPv6 through Global Network Settings in Yast, the file /etc/hosts still have some IPv6 definitions for local hosts and some others. This caused some problems until I removed these entries from /etc/hosts manually.
I suspect that this is the case with 11.3 too. I was checking the hosts file and as I saw the IPv6 addresses there, I remembered that I had disabled that and therefore went and enabled it again. So, basically I think that disabling IPv6 breaks things and causes bugs to show, but I don't know why or how... I just leave it on for now.
-- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Trying to thing ssh -Y user@remoteip xclock & -- ----------------------------------------- Discover it! Enjoy it! Share it! openSUSE Linux. ----------------------------------------- openSUSE -- en.opensuse.org/User:Terrorpup openSUSE Ambassador/openSUSE Member skype,twiiter,identica,friendfeed -- terrorpup freenode(irc) --terrorpup/lupinstein Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute , or create your own linux distro. Give SUSE Studio a try. www.susestudio.com. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2010-08-01 at 20:18 +0300, HG wrote:
ssh -X 192.168.1.2 from OS X, I get this warning from both the new 11.3 as well as the
Just upgraded my home server to 11.3. Normal mode for it is headless, but I cannot seem to get X to work over ssh. I really don't know where to look. So, here is what I have. I enabled sshd at the install phase (opened the firewall, but currently firewall is disabled altogether). Only change I did for the /etc/ssh/sshd_config was to add "AllowGroups ssh_users" (which includes me). Otherwise I noted that it already has "X11Forwarding yes" I login to the system from OS X or another older openSUSE with old openSUSE: Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. However, that doesn't appear if I log in from the older openSUSE and it doesn't seem to matter much as form the old server, this works great:
xclock & However, from the new 11.3, all I get is "Error: Can't open display: " What is wrong with the sshd in 11.3? How to fix this? Ok, so I really don't know what is wrong, but fix was this... first let's go back a little. I wrote that this is clean installation with minimum changes. Well, one of the change was that in Global Network settings, I removed the tick mark from "Enable IPv6" as the help said: "To disable IPv6, uncheck this option (...). If the IPv6 protocol is not used on your network, the response time can be faster." Well, AFAIK, I'm not using IPv6 and I think that my router is not supporting it (although, it might). However, seems that while SSH was completely fine otherwise working without IPv6, the X forwarding didn't work. Why? I have no idea. But that was the fix: I enabled it, rebooted and X started to work over SSH just as it should I have IPv6 disabled on 11.3 and on 11.1 on different machine and have no problem with X forwarding (ssh -Y ...). One thing I noticed quite some time ago (I guess, it was 11.1) that when you disable IPv6 through Global Network Settings in Yast, the file /etc/hosts still have some IPv6 definitions for local hosts and some others. This caused some problems until I removed these entries from /etc/hosts manually. I suspect that this is the case with 11.3 too. I was checking the hosts file and as I saw the IPv6 addresses there, I remembered that I had disabled that and therefore went and enabled it again. So, basically I think that disabling IPv6 breaks things and causes bugs to show, but I don't know why or how... I just leave it on for now.
Which is the correct solution - if a fix is to disable IPv6 then the fix
is broken.
If X forwarding doesn't work with IPv6 enabled the better solution is to
figure out why.
Do both machines have IPv6 addresses? `ip -6 addr`
Can the machines ping each other's IPv6 addresses? `ping6
fdb5:60da:9b8a:1:250:56ff:fea8:27e2` [assuming they are on the same
subnet]
If not then something is broken.
Are the firewalls blocking IPv6 traffic - generally they should mirror
the IPv4 configuration?
--
Adam Tauno Williams
Hi!
On Mon, Aug 2, 2010 at 2:16 AM, Adam Tauno Williams
On Sun, 2010-08-01 at 20:18 +0300, HG wrote:
ssh -X 192.168.1.2 from OS X, I get this warning from both the new 11.3 as well as the
Just upgraded my home server to 11.3. Normal mode for it is headless, but I cannot seem to get X to work over ssh. I really don't know where to look. So, here is what I have. I enabled sshd at the install phase (opened the firewall, but currently firewall is disabled altogether). Only change I did for the /etc/ssh/sshd_config was to add "AllowGroups ssh_users" (which includes me). Otherwise I noted that it already has "X11Forwarding yes" I login to the system from OS X or another older openSUSE with old openSUSE: Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. However, that doesn't appear if I log in from the older openSUSE and it doesn't seem to matter much as form the old server, this works great:
xclock & However, from the new 11.3, all I get is "Error: Can't open display: " What is wrong with the sshd in 11.3? How to fix this? Ok, so I really don't know what is wrong, but fix was this... first let's go back a little. I wrote that this is clean installation with minimum changes. Well, one of the change was that in Global Network settings, I removed the tick mark from "Enable IPv6" as the help said: "To disable IPv6, uncheck this option (...). If the IPv6 protocol is not used on your network, the response time can be faster." Well, AFAIK, I'm not using IPv6 and I think that my router is not supporting it (although, it might). However, seems that while SSH was completely fine otherwise working without IPv6, the X forwarding didn't work. Why? I have no idea. But that was the fix: I enabled it, rebooted and X started to work over SSH just as it should I have IPv6 disabled on 11.3 and on 11.1 on different machine and have no problem with X forwarding (ssh -Y ...). One thing I noticed quite some time ago (I guess, it was 11.1) that when you disable IPv6 through Global Network Settings in Yast, the file /etc/hosts still have some IPv6 definitions for local hosts and some others. This caused some problems until I removed these entries from /etc/hosts manually. I suspect that this is the case with 11.3 too. I was checking the hosts file and as I saw the IPv6 addresses there, I remembered that I had disabled that and therefore went and enabled it again. So, basically I think that disabling IPv6 breaks things and causes bugs to show, but I don't know why or how... I just leave it on for now.
Which is the correct solution - if a fix is to disable IPv6 then the fix is broken.
Something is obviously broken, but the fix was the another way around. I had disabled IPv6 as I thought I don't need it. All computers are in my home network, separated by simple gigabit switch at the testing time (another D-Link working as NAT/DHCP). Once more: 1) IPv6 disabled, SSH did work, but X forwarding didn't. Tried from OS X and openSUSE 10.2 (no idea whether that supports IPv6 or not). 2) IPv6 enabled SSH still works, but now also X forwarding works. Fix is to leave IPv6 enabled. The question is, if things like this (which used to work in the world of IPv4) break if IPv6 is disabled, should they be fixed or should there be no possibility to disable IPv6? For me, it is just as fine to go with IPv6 enabled.
Do both machines have IPv6 addresses? `ip -6 addr` Can the machines ping each other's IPv6 addresses? `ping6 fdb5:60da:9b8a:1:250:56ff:fea8:27e2` [assuming they are on the same subnet]
About this... I really hate it if I some day need to start to use addresses like this in my home network. :-(
If not then something is broken.
Are the firewalls blocking IPv6 traffic - generally they should mirror the IPv4 configuration?
No firewalls in between the computers. -- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Montag 02 August 2010 schrieb HG:
Hi!
..
I suspect that this is the case with 11.3 too. I was checking the hosts file and as I saw the IPv6 addresses there, I remembered that I had disabled that and therefore went and enabled it again. So, basically I think that disabling IPv6 breaks things and causes bugs to show, but I don't know why or how... I just leave it on for now.
Which is the correct solution - if a fix is to disable IPv6 then the fix is broken.
... Maybe you can use ssh -4, according to "man ssh": -4 Forces ssh to use IPv4 addresses only. HTH hjb -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Montag 02 August 2010 schrieb HG: ...
The question is, if things like this (which used to work in the world of IPv4) break if IPv6 is disabled, should they be fixed or should there be no possibility to disable IPv6? For me, it is just as fine to go with IPv6 enabled.
Do both machines have IPv6 addresses? `ip -6 addr` Can the machines ping each other's IPv6 addresses? `ping6 fdb5:60da:9b8a:1:250:56ff:fea8:27e2` [assuming they are on the same subnet]
About this... I really hate it if I some day need to start to use addresses like this in my home network. :-(
If not then something is broken.
Are the firewalls blocking IPv6 traffic - generally they should mirror the IPv4 configuration?
No firewalls in between the computers.
Maybe you can use "ssh -4", according to man ssh: -4 Forces ssh to use IPv4 addresses only. HTH hjb -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hermann J. Beckers wrote:
Do both machines have IPv6 addresses? `ip -6 addr` Can the machines ping each other's IPv6 addresses? `ping6 fdb5:60da:9b8a:1:250:56ff:fea8:27e2` [assuming they are on the same subnet]
About this... I really hate it if I some day need to start to use addresses like this in my home network.:-(
Just add them to your hosts file. They work fine that way. BTW, what the heck is that address? It looks similar to a "unique local" address, but all those are supposed to start with fc00 or fd00. I have no idea were fdb5 might have come from. Incidenatlly, I have no problem using ssh -X over either IPv4 or IPv6 here. I have IPv6 enabled on all my computers and also to the internet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Hermann J. Beckers wrote:
Do both machines have IPv6 addresses? `ip -6 addr` Can the machines ping each other's IPv6 addresses? `ping6 fdb5:60da:9b8a:1:250:56ff:fea8:27e2` [assuming they are on the same subnet] About this... I really hate it if I some day need to start to use addresses like this in my home network.:-( Just add them to your hosts file. They work fine that way.
BTW, what the heck is that address? It looks similar to a "unique local" address, but all those are supposed to start with fc00 or fd00. I have no idea were fdb5 might have come from.
Incidenatlly, I have no problem using ssh -X over either IPv4 or IPv6 here. I have IPv6 enabled on all my computers and also to the internet.
Forgot to mention, that ssh -X included both to and from an 11.3 system. So, there's no problem with that and 11.3 over either IPv4 or IPv6. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2010-08-02 at 08:25 -0400, James Knott wrote:
James Knott wrote:
Hermann J. Beckers wrote:
Do both machines have IPv6 addresses? `ip -6 addr` Can the machines ping each other's IPv6 addresses? `ping6 fdb5:60da:9b8a:1:250:56ff:fea8:27e2` [assuming they are on the same subnet] About this... I really hate it if I some day need to start to use addresses like this in my home network.:-( Just add them to your hosts file. They work fine that way. BTW, what the heck is that address? It looks similar to a "unique local" address, but all those are supposed to start with fc00 or fd00. I have no idea were fdb5 might have come from. Incidenatlly, I have no problem using ssh -X over either IPv4 or IPv6 here. I have IPv6 enabled on all my computers and also to the internet. Forgot to mention, that ssh -X included both to and from an 11.3 system. So, there's no problem with that and 11.3 over either IPv4 or IPv6.
I communicate mostly from openSUSE 11.2/11.3 with CentOS5 servers. IPv6
works fine there as well.
--
Adam Tauno Williams
On Tue, Aug 3, 2010 at 1:18 AM, Adam Tauno Williams
On Mon, 2010-08-02 at 08:25 -0400, James Knott wrote:
James Knott wrote:
Hermann J. Beckers wrote:
> Do both machines have IPv6 addresses? `ip -6 addr` > Can the machines ping each other's IPv6 addresses? `ping6 > fdb5:60da:9b8a:1:250:56ff:fea8:27e2` [assuming they are on the same > subnet] About this... I really hate it if I some day need to start to use addresses like this in my home network.:-( Just add them to your hosts file. They work fine that way. BTW, what the heck is that address? It looks similar to a "unique local" address, but all those are supposed to start with fc00 or fd00. I have no idea were fdb5 might have come from. Incidenatlly, I have no problem using ssh -X over either IPv4 or IPv6 here. I have IPv6 enabled on all my computers and also to the internet. Forgot to mention, that ssh -X included both to and from an 11.3 system. So, there's no problem with that and 11.3 over either IPv4 or IPv6.
I communicate mostly from openSUSE 11.2/11.3 with CentOS5 servers. IPv6 works fine there as well.
At least in my case the problem was NOT with IPv6. I just routinely disable it, since I have no need to use it. What I've noticed on 11.1 (and also on 11.3) was that when IPv6 is being disabled via YaST, the /etc/hosts file still retains IPv6 addresses (not sure if this is a bug or is harmless). Now I recalled what was the exact problem with 11.1. For some reason there stayed only IPv6 version (::1) of the entry for localhost in /etc/hosts and no 127.0.0.1 as in IPv4. That caused all sorts of misbehaving. When I found the reason I've just added manually correct entry for localhost and removed IPv6 ones and the problems have gone. I thought that maybe OP has some similar issue, not with IPv6 itself. Regards, -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Mark Goldstein wrote:
At least in my case the problem was NOT with IPv6. I just routinely disable it, since I have no need to use it.
Given that IPv4 addresses will run out in a year or so and many sites, even now, are IPv6, that's a bit short sighted. You can easily get yourself an IPv6 address or even an entire subnet (mine's a trillion times the size of the entire, world wide, IPv4 internet) even if your ISP doesn't support it, by using a tunnel broker. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Aug 3, 2010 at 3:26 PM, James Knott
Mark Goldstein wrote:
At least in my case the problem was NOT with IPv6. I just routinely disable it, since I have no need to use it.
Given that IPv4 addresses will run out in a year or so and many sites, even now, are IPv6, that's a bit short sighted. You can easily get yourself an IPv6 address or even an entire subnet (mine's a trillion times the size of the entire, world wide, IPv4 internet) even if your ISP doesn't support it, by using a tunnel broker.
I'll not argue with that. Probably it's just a force of habit on my side (not to add another potential source of troubles unless really necessary). Right now local network of 192.168.... is more than enough for me. But probably next time I'll re-install the system I'll remember not to disable IPv6 it and to see how it'll work. Regards, -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Mark Goldstein wrote:
Right now local network of 192.168.... is more than enough for me.
Some brokers are handing out /48 subnets, which is a trillion, trillion addresses. My subnet, a /56, is only 4 billion, trillion and I've already used up five of them! ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi!
On Tue, Aug 3, 2010 at 8:42 AM, Mark Goldstein
On Tue, Aug 3, 2010 at 1:18 AM, Adam Tauno Williams
wrote: On Mon, 2010-08-02 at 08:25 -0400, James Knott wrote:
James Knott wrote:
Hermann J. Beckers wrote:
> > Do both machines have IPv6 addresses? `ip -6 addr` > > Can the machines ping each other's IPv6 addresses? `ping6 > > fdb5:60da:9b8a:1:250:56ff:fea8:27e2` [assuming they are on the same > > subnet] > About this... I really hate it if I some day need to start to use addresses like this in my home network.:-( Just add them to your hosts file. They work fine that way. BTW, what the heck is that address? It looks similar to a "unique local" address, but all those are supposed to start with fc00 or fd00. I have no idea were fdb5 might have come from. Incidenatlly, I have no problem using ssh -X over either IPv4 or IPv6 here. I have IPv6 enabled on all my computers and also to the internet. Forgot to mention, that ssh -X included both to and from an 11.3 system. So, there's no problem with that and 11.3 over either IPv4 or IPv6.
I communicate mostly from openSUSE 11.2/11.3 with CentOS5 servers. IPv6 works fine there as well.
At least in my case the problem was NOT with IPv6. I just routinely
Indeed. As I tried to write a few times, the problem rose when I disabled IPv6 from YaST. X11 forwarding over SSH should work also with IPv4, but didn't. Maybe the hosts file was the problem (I don't know enough). Slightly off-topic (but so this seems to be already anyhow), I personally like to have all my home computers behind NAT. It acts as nice firewall. IPv6 settings in my router are "link-local" and none of the other settings (static IPv6, DHCPv6, PPPoE, IPv6 in IPv4 tunnel, 6to4 mode) seem to offer similar hiding of the local computers. Well, that's how it seems - of course, there is no real documentation and I'm just guessing :-( -- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2010-08-05 at 10:25 +0300, HG wrote:
Slightly off-topic (but so this seems to be already anyhow), I personally like to have all my home computers behind NAT. It acts as nice firewall.
No, it doesn't. NAT is *NOT* a security solution.
IPv6 settings in my router are "link-local" and none of the other settings (static IPv6, DHCPv6, PPPoE, IPv6 in IPv4 tunnel, 6to4 mode) seem to offer similar hiding of the local computers.
NAT does not "hide" computers. Capture a NAT'd stream of traffic and it isn't very hard to separate the conversations of multiple computers behind the NAT. NAT is just a coping mechanism for IPv4's constrained address space [good riddance!]
Well, that's how it seems - of course, there is no real documentation and I'm just guessing :-(
For IPv6 you just use a firewall to filter routed traffic, the way IP is
supposed to work. NAT does nothing at all, except break things.
--
Adam Tauno Williams
Adam Tauno Williams said the following on 08/05/2010 06:20 AM:
On Thu, 2010-08-05 at 10:25 +0300, HG wrote:
Slightly off-topic (but so this seems to be already anyhow), I personally like to have all my home computers behind NAT. It acts as nice firewall.
No, it doesn't. NAT is *NOT* a security solution.
IPv6 settings in my router are "link-local" and none of the other settings (static IPv6, DHCPv6, PPPoE, IPv6 in IPv4 tunnel, 6to4 mode) seem to offer similar hiding of the local computers.
NAT does not "hide" computers. Capture a NAT'd stream of traffic and it isn't very hard to separate the conversations of multiple computers behind the NAT. NAT is just a coping mechanism for IPv4's constrained address space [good riddance!]
Well, that's how it seems - of course, there is no real documentation and I'm just guessing :-(
For IPv6 you just use a firewall to filter routed traffic, the way IP is supposed to work. NAT does nothing at all, except break things.
I'm allergic to absolutes. In particular absolute statements. NAT doesn't 'break things'. What it does is use unrouteable addresses. Its your last statement that's core. The original model of the 'Net had no provision for security and the idea was that every node (aka address) should be routable and hence addressable by every other address. That is what you mean by "the way IP is supposed to work". Which is a bit like saying "two's compliment arithmetic is the way computers are supposed to work". Or "linear address spaces are the way computers are supposed to work". The thing is that NAT renders a subnet inaccessible to the 'Net at large because the addresses on it are unroutable. That's not 'breaking', that's a lazy way of filtering. Unless you have tunnels or exceptions (which most NAT'ing devices allow for) that is equivalent to a firewall with a "DENY ALL INCOMING INITIATED" policy. Yes its not a firewall in that it it doesn't do a lot of other things a firewall could and should, but that doesn't mean its not a security barrier. A lazy one, and incomplete one, one that can't be trusted, but then the same can be said about locking your front door when a good kick can break the frame or a burglar can break a window. The unroutable subnets were not *intended* as an address exhaustion mechanism. That was unintended side effect that has taken over - the tail that is wagging the dog - and yes, has impeded the acceptance of IPV6. Vendors saw how they could "add features" and as far as Joe Sixpack goes Please do not attribute intent where there is not one. As for security and filtering of IPV6 addresses ... Don't make me laugh. The malware of today does not rely on machines 'raw' on the net unfiltered. The ones behind NAT, the ones behind filters, can still download malware and one running that malware can still 'tunnel' out to 'Net, report keylogging and form Botnets. IPV6 and filtering won't stop that any more than NAT or IPV4 and filters ever did. Its not a packet or address level problem. A completely different set of tools is needed for *that* security. I also object to the absolute implied in saying "NAT is not security solution". That's trite and unhelpful. AV is not a security solution; deep filtering is no a security solution; proxies are not a security solution; user awareness is not a security solution; whitelisting is not a security solution. All these and more are just components that can be used to improve your security stance. A simple NAT'ing router has value to Joe Sixpack for many reasons. For him it means he doesn't have to argue with his ISP to get a (as you point out, ever scarcer) subnet, doesn't have to acquire the technical expertise to manage it and does' have to pay the ISP or all those extra addresses. From his POV it simply lets him connect his, his wife's and his kid's computers to the 'Net. He doesn't know about IPV4 or IPV6. he doesn't care either. He paid his - somewhere between $10 and $60 - for the router and as far as he's concerned its 'plug and play'[1]. Your 'solution' of making him use IPV6 means he's going to have to get and manage a subnet. That there's plenty to go round is beside the point. Joe Sixpack bought that NAT router to avoid needing the technical knowledge that you and I take for granted. What he's going to do is wait until a vendor comes up with another 'box' that does it all invisibly for him. And the vendors are used to selling based on features, like NAT, like DHCP. Like making it easy for Joe. And do you imagine they will let go of NAT? Joe is used to certain keywords. The stuff he's bought in the past with those 'features' works fine so he's going to seek them out again. What do you want to bet the next generation of IPV6 'routers' targeted at the home market (where there are an enormous number of potential customers) will see "more of the same"? Not everyone out there using NAT is as sophisticated or technically competent as you and I. I suspect many people on this list aren't either. [1] Well, OK, maybe he was foolish enough to get a wireless router for less than $10 on eBay perhaps, and then he's got a whole pile of other security problems, but tat has nothing to do with IPV4, IPV6 or NAT. -- There are two ways to slide easily through life: to believe everything or to doubt everything; both ways save us from thinking. -- Alfred Korzybski -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
NAT doesn't 'break things' Try using ftp from the command line (not from a browser). You have to use passive mode for it to work through NAT. Also, some VPNs won't work
Anton Aylward wrote: through NAT. There are other examples. Also, NAT violates the IETF spec that says the source and destination are not supposed be changed, which NAT has to do in order to work. NAT also makes it awkward to reach computers behind the firewall. For example, to reach my imap server via IPv4, I have to configure my firewall to specifically pass that traffic to that particular server. That works OK for only one computer, but what happens when you want to reach other computers with the same protocol? On the other hand, I can reach all my computers with their own addresses with IPv6. IPv6 addresses are so plentiful that ISPs won't have to ration users to one real world IP address or even force them to use NAT, as some do. In fact, ISPs are supposed to hand out /64 subnets or 18446744073709551616 addresses to each of their subscribers. At the moment, it appears all the IPv4 address blocks will be taken in about a year. This means ISPs will no longer be able to get those addresses and will be forced to hand out NAT addresses. Pretending all is well with IPv4 and NAT is extremely short sighted. In addition, the current situation with IPv4 requires complex routing tables, which slows down router performance at ISPs. With IPv6, addresses are allocated in a hierarchical manner, which greatly simplifies routing. There are other advantages, such as extention headers vs variable length headers, which will also improve router performance. There are also other features with are built into IPv6, such as mobile device routing, IPSec and others, which are simply tacked onto IPv4. On thing that's nice is automatic address assignment. When I use a computer on my network, it talks to the router to determine the network address. It then combines that with the NIC MAC address to determine it's IPv6 address. No configuration is required. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott said the following on 08/05/2010 10:18 AM:
Anton Aylward wrote:
NAT doesn't 'break things' Try using ftp from the command line (not from a browser).
LOL! FTP is more broken than NAT! And while you or I might use the comand line, Joe Sixpack will use the browser. The command line is what scares him away from Linux.
Also, NAT violates the IETF spec that says the source and destination are not supposed be changed, which NAT has to do in order to work.
And? Of course it does, but then malware breaks your computer ... There are plenty of things that 'violate protocol'. Some are needed for society to function :-)
NAT also makes it awkward to reach computers behind the firewall.
Yes. That's the point! From the POV of the people that use it for that - the 'lazy firewall' that I spoke of - this is a BENEFIT. Joe Sixpack doesn't _want_ all those nasty people out there, hackers, governments, his kids friends, the IRS, reaching into his computer.
For example, to reach my imap server via IPv4, I have to configure my firewall to specifically pass that traffic to that particular server.
Are you talking about in or out? Lets see: I have ISPs all over the world with mailboxes. I have a machine behind a NAT router/firewall. My fetchmail (or Joe Sixpack's Thunderbird) has no problem fetching mail from them by IMAP. Incoming ... I keep my mail on one "mailhub". That's all I need an incoming link to.
That works OK for only one computer, but what happens when you want to reach other computers with the same protocol?
Like for example?
On the other hand, I can reach all my computers with their own addresses with IPv6.
So you have no filtering? That scares me.
At the moment, it appears all the IPv4 address blocks will be taken in about a year.
I hate to tell you, but when I was running an ISP in the early 1990s, the domain authorities told me that. As an ISP we wanted a class B or pretty much the reasons you describe. In reality we had to justify each and every class C. We were told that we should suggest to our clients that they use NAT. The sky has been falling for 20+ years. Haven't they just released on of the 'reserved' class A nets? (And yes, I know this terminology is archaic, but its how they though back then when this was set up and they were allocating them.)
Pretending all is well with IPv4 and NAT is extremely short sighted.
Indeed. But then the IPprotocol itself is short sighted compared to some others around that are more suited to high-speed streaming.
In addition, the current situation with IPv4 requires complex routing tables, which slows down router performance at ISPs.
That isn't a failure of IPV4 so much as a demonstration of the success of the Internet. Its grown beyond its design limits. I'm sure we'll say the same about IPV6 when we have to deal with traffic to COMSATS and the moon and Mars. The dominance of NAT was never intended. Its 'success' and persistence is due to marketing and the success of the Internet as a commercial medium. You seem to think that I'm saying NAT is a good thing.
From the POV of some marketing people and small first that have addressed the needs of Joe Sixpack (and done well enough in the process to be bought out by larger firms - the "American Success Story" - so creating millionaires out of entrepreneurs) it has been a good thing. Marketing is rarely interested in offering the technical Ne Plus Ultra to start with. Just come up with something a bit better than the competitor and leave some room for next year's model.
There's a lot of the world where the technically superior has failed to make it when faced with a better marketed, more featured or more acceptable to the user product. All you say about the problems with NAT and the superiority of IPV6 are 100% correct and also 100% irrelevant to Joe Sixpack. Its going to take someone who can come up with some marketing edge - OR the Government issuing a DIRECTIVE THAT CANNOT BE IGNORED - before we instantly discard IPV4 and NAT in favour of IPV6. And do you really want the government - any government - dictating network strategy? -- The whole art of teaching is only the art of awakening the natural curiosity of young minds for the purpose of satisfying it afterwards. -- Anatole France (1844 - 1924), The Crime of Sylvestre Bonnard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anton Aylward wrote:
NAT also makes it awkward to reach computers behind the firewall.
Yes. That's the point! From the POV of the people that use it for that - the 'lazy firewall' that I spoke of - this is a BENEFIT. Joe Sixpack doesn't_want_ all those nasty people out there, hackers, governments, his kids friends, the IRS, reaching into his computer.
So, you think the internet should remain broken, so that others can't make best use of it?
I hate to tell you, but when I was running an ISP in the early 1990s, the domain authorities told me that. As an ISP we wanted a class B or pretty much the reasons you describe. In reality we had to justify each and every class C. We were told that we should suggest to our clients that they use NAT.
There were a lot of changes to get around the problems then. For example address classes were phased out in favour of classless routing, with variable length subnets, to get much better use of available addresses. If that hadn't been done, then addresses would have run out years ago. Also, as has been mentioned earlier, NAT is a poor solution because of the problems it causes. If an ISP uses NAT, then it means customers cannot reach their own networks from outside, without taking extra steps, such as firewall rules directing traffic to specified computers. That doesn't work well if you've got more than a computer or two on the NAT network.
In addition, the
current situation with IPv4 requires complex routing tables, which slows down router performance at ISPs.
That isn't a failure of IPV4 so much as a demonstration of the success of the Internet. Its grown beyond its design limits. I'm sure we'll say the same about IPV6 when we have to deal with traffic to COMSATS and the moon and Mars.
One thing that was done was to aggregate address ranges in Europe. This resulted in the complete shut down of the internet in Europe, while all the addresses were rearranged. With IPv6, the available addresses makes it possible to arrange addresses in a geographic manner, in order to avoid the issue.
For
example, to reach my imap server via IPv4, I have to configure my firewall to specifically pass that traffic to that particular server.
Are you talking about in or out?
I'm referring to my own IMAP server, which is sitting on the desk in front of me. I get my mail from my ISP via POP and then use IMAP so that my mail is available on any of my computers and also my smart phone. Incidentally, that's one area where NAT shows it's problems. With my notebook, I can directly access my server with an IPv6 address, but since I don't yet have IPv6 available to my smart phone, I have to use IPv4 with it. The phone supports IPv6, when available. With my notebook, I can set up a 6in4 tunnel for IPv6 access. I haven't found similar for my smartphone.
Its going to take someone who can come up with some marketing edge - OR the Government issuing a DIRECTIVE THAT CANNOT BE IGNORED - before we instantly discard IPV4 and NAT in favour of IPV6.
And do you really want the government - any government - dictating
I have never said anything about the government dictating anything, although I've heard the U.S. government is now requiring IPv6 for it's internet access. It's being driven more by the likes of Google and Cisco, who realize the problems with IPv4.
network strategy?
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott said the following on 08/06/2010 08:48 AM:
Anton Aylward wrote:
NAT also makes it awkward to reach computers behind the firewall.
Yes. That's the point! From the POV of the people that use it for that - the 'lazy firewall' that I spoke of - this is a BENEFIT. Joe Sixpack doesn't_want_ all those nasty people out there, hackers, governments, his kids friends, the IRS, reaching into his computer.
So, you think the internet should remain broken, so that others can't make best use of it?
Help e here. How do you get from the fact that Joe Sixpack has a non-techie outlook and 'learned disability' resulting from marketing pandering to the lowest common denominator and pushing technology that you are I might think is 20th century version of an "idiot stick" and in do doing abusing and prostituting standards to the idea that I think the internet should remain broken. Here, we're "rational technocrats". Joe Sixpack isn't. He's not interested in "protocols" and "FTP'. To him NAT is just another tick-off item on a feature list. He's not interested in being able to access any machine on his home network and wouldn't understand the issues we're discussion here. He might even be upset with IPV6 because, even though he doesn't understand what it is, he thinks he should have NAT because that's what he's been told by the guys at Best Buy and is a marketing feature on the box of the devices he's bought before. Joe isn't consistent in his thinking and has a lot of prejudices. He's paranoid about government interference, realises that wile the X-files are entertainment, he thinks that they are based on fact. He might not want to access his network from the outside, but the idea that somone else might be able to scares him and he assocaites - than you Nixon for Watergate and the like for destroying confidence in politicians - such things with nebulous three-letter government agencies. That the malware on his computer is from visiting prono sites doesn't occur to him, Ultimately its the Joes who have made the internet the commercial success it is. The mass marketing to the consumer base is what has driven down the price of a range of equipment and made it a commodity. For Joe to adopt IPV6 EITHER it is forced on him (possibly by 'the government' in one way or another) or it is marketed to him as the "new and improved" Internet. But Joe grew up in a consumer culture and "new and improved" doesn't impress him as it did with his grandparents when they saw it on the side of a packet of soap flakes. The benefits of IPV6 we see are probably nothing to do with how it will be marketed to Joe. Like ... this morning I saw an advert for this gasoline that was improved because it had added nitrogen. Excuse me: what's better than 70% of the air the engine takes in? "The Space Merchants", Fred Pohl and Cyril Kornbluth's 1952 parody of Madison Avenue advertising and consumerism gone wild may not be accurate, but the treatment of the consumers in it does reflect a large portion of society. The Internet-as-we-know it succeeded because it was allowed to go commercial. We have out low cost PC and network equipment because they have been made consumer commodities. Many vendors have 'broken' bit of the RFCs. I recall Interop "bake offs" where some vendors went off in a huff because their "improved versions" of things like point-to-point and the IP stack would not interoperate. Others hijacked matters and defined "new standards". NAT was one of them. You can find many people speaking out against it as far back as the beginning of the 1990s, but the vendors made it a marketing feature. Now consumers accept it as a valuable feature. Because they've been told so as part of a marketing pitch. So pleases top saying that I'm advocating breaking the 'Net when I'm telling you the root cause and the hurdle that IPV6 will have to overcome. Its not a technical issue. If it was just technical we'd have switched over a long time ago. Its not address exhaustion. If it was we'd have switched over long ago and NAT would never have gained the wide use it has. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2010-08-06 at 09:28 -0400, Anton Aylward wrote:
James Knott said the following on 08/06/2010 08:48 AM: Here, we're "rational technocrats". Joe Sixpack isn't. He's not interested in "protocols" and "FTP'. To him NAT is just another tick-off item on a feature list. He's not interested in being able to access any machine on his home network and wouldn't understand the issues we're discussion here. He might even be upset with IPV6 because, even though he doesn't understand what it is,
And he understands what IPv4 is? "Bogosity is at 107% captain!"
Mythical [and just as non-existent] Joe Sixpack WILL care with his VOIP
doesn't work, he can't file-transfer through his instant messenger, his
BitTorrent client won't seed, and this new MMORPG client just times out.
All because of this crazy thing called NAT that he doesn't even know
what it is.
--
Adam Tauno Williams
Adam Tauno Williams wrote:
On Fri, 2010-08-06 at 09:28 -0400, Anton Aylward wrote:
James Knott said the following on 08/06/2010 08:48 AM: Here, we're "rational technocrats". Joe Sixpack isn't. He's not interested in "protocols" and "FTP'. To him NAT is just another tick-off item on a feature list. He's not interested in being able to access any machine on his home network and wouldn't understand the issues we're discussion here. He might even be upset with IPV6 because, even though he doesn't understand what it is,
And he understands what IPv4 is? "Bogosity is at 107% captain!"
Mythical [and just as non-existent] Joe Sixpack WILL care with his VOIP doesn't work, he can't file-transfer through his instant messenger, his BitTorrent client won't seed, and this new MMORPG client just times out. All because of this crazy thing called NAT that he doesn't even know what it is.
Thanks for replying to that for me. I found it to be so much nonsense that it wasn't worth replying to. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams said the following on 08/06/2010 02:29 PM:
On Fri, 2010-08-06 at 09:28 -0400, Anton Aylward wrote:
James Knott said the following on 08/06/2010 08:48 AM: Here, we're "rational technocrats". Joe Sixpack isn't. He's not interested in "protocols" and "FTP'. To him NAT is just another tick-off item on a feature list. He's not interested in being able to access any machine on his home network and wouldn't understand the issues we're discussion here. He might even be upset with IPV6 because, even though he doesn't understand what it is,
And he understands what IPv4 is? "Bogosity is at 107% captain!"
Mythical [and just as non-existent] Joe Sixpack WILL care with his VOIP doesn't work, he can't file-transfer through his instant messenger, his BitTorrent client won't seed, and this new MMORPG client just times out. All because of this crazy thing called NAT that he doesn't even know what it is.
Indeed. And he doesn't know what an operating system is either. But he does know that Microsoft is to blame when things go wrong. You and I know that while Microsoft has many shortcomings, we can't blame them or NAT, but so what? Joe and his kids believe the Disney version of Grimm, too. No, what worries me about Joe is that he might believe that symbol on some web pages that assert the site is safe ... -- The bitterness of poor quality lingers long after the sweetness of meeting schedules is forgotten. --Kathleen Byle, Sandia National Laboratories -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2010-08-05 at 10:18 -0400, James Knott wrote:
At the moment, it appears all the IPv4 address blocks will be taken in about a year. This means ISPs will no longer be able to get those addresses and will be forced to hand out NAT addresses. Pretending all is well with IPv4 and NAT is extremely short sighted.
+1
In addition, the current situation with IPv4 requires complex routing tables, which slows down router performance at ISPs. With IPv6, addresses are allocated in a hierarchical manner, which greatly simplifies routing.
+1
There are other advantages, such as extention headers vs variable length headers, which will also improve router performance. There are also other features with are built into IPv6, such as mobile device routing, IPSec and others, which are simply tacked onto IPv4.
"tacked onto IPv4" is being *very* kind. I'd prefer the phrase "savagely grafted onto". And nothing in IPv4 can match IPv6's mobile support [which you mentioned]
On thing that's nice is automatic address assignment. When I use a computer on my network, it talks to the router to determine the network address. It then combines that with the NIC MAC address to determine it's IPv6 address. No configuration is required.
+1
But they did fail to resolve the obvious issue of name service discovery
- you still have to provide the address of a DNS server to the node
[although maybe something can solve that in some non-standard way,
possibly via Avahi].
--
Adam Tauno Williams
On Thu, 2010-08-05 at 09:04 -0400, Anton Aylward wrote:
Adam Tauno Williams said the following on 08/05/2010 06:20 AM:
On Thu, 2010-08-05 at 10:25 +0300, HG wrote:
Slightly off-topic (but so this seems to be already anyhow), I personally like to have all my home computers behind NAT. It acts as nice firewall. No, it doesn't. NAT is *NOT* a security solution. IPv6 settings in my router are "link-local" and none of the other settings (static IPv6, DHCPv6, PPPoE, IPv6 in IPv4 tunnel, 6to4 mode) seem to offer similar hiding of the local computers.
NAT does not "hide" computers. Capture a NAT'd stream of traffic and it isn't very hard to separate the conversations of multiple computers behind the NAT. NAT is just a coping mechanism for IPv4's constrained address space [good riddance!]
Well, that's how it seems - of course, there is no real documentation and I'm just guessing :-( For IPv6 you just use a firewall to filter routed traffic, the way IP is supposed to work. NAT does nothing at all, except break things. I'm allergic to absolutes. In particular absolute statements. NAT doesn't 'break things'.
Wrong; NAT *DOES* break things. It creates issues with active FTP, various VOIP systems [SIP, H.323, etc...] It does break things, absolutely.
What it does is use unrouteable addresses. Its your last statement that's core. The original model of the 'Net had no provision for security
Well, "had no provision for security" is absolutely false. It just isn't a transport protocol issue.
and the idea was that every node (aka address) should be routable and hence addressable by every other address. That is what you mean by "the way IP is supposed to work".
Yep, because it is the way IP is supposed to work. Every other arraignment is broken. If you want to limit traffic - use a firewall.
The thing is that NAT renders a subnet inaccessible to the 'Net at large because the addresses on it are unroutable.
False. It does *not* render the subnet inaccessible. It merely obscures the network. Find a decent hacker and watch them blow straight into a NAT'd network.
That's not 'breaking',that's a lazy way of filtering.
No, filtering is the job of firewalls.
Unless you have tunnels or exceptions (which most NAT'ing devices allow for) that is equivalent to a firewall with a "DENY ALL INCOMING INITIATED" policy. Yes its not a firewall in that it it doesn't do a lot of other things a firewall could and should, but that doesn't mean its not a security barrier. A lazy one, and incomplete one, one that can't be trusted, but then the same can be said about locking your front door when a good kick can break the frame or a burglar can break a window. The unroutable subnets were not *intended* as an address exhaustion mechanism. That was unintended side effect that has taken over -
Ok, but that was now, this is then. If IPv4 addresses were plentiful [and thus cheap] people wouldn't NAT. Every sys/net-admin I know would be very happy to be rid of NAT and thus NAT induced headaches.
Please do not attribute intent where there is not one.
I don't need to 'attribute' intent. People use IPv4 private addresses because public IPv4 addresses are scarce [and thus expensive].
As for security and filtering of IPV6 addresses ... Don't make me laugh. The malware of today does not rely on machines 'raw' on the net unfiltered. The ones behind NAT, the ones behind filters, can still download malware and one running that malware can still 'tunnel' out to 'Net, report keylogging and form Botnets. IPV6 and filtering won't stop that any more than NAT or IPV4 and filters ever did. Its not a packet or address level problem.
You are now discussing something entirely off-topic to 'network'
security.
--
Adam Tauno Williams
HG wrote:
IPv6 settings in my router are "link-local" and none of the other settings (static IPv6, DHCPv6, PPPoE, IPv6 in IPv4 tunnel, 6to4 mode) seem to offer similar hiding of the local computers. Well, that's how it seems - of course, there is no real documentation and I'm just guessing:-(
Those things are intended to provide IPv6 access where it would not otherwise be available. I use a 6in4 to get my IPv6 connection. A decent firewall should allow desired connectivity, while blocking everything else. Normally, with iptables, you'd start by blocking everything and then adding what you want. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2010-08-02 at 08:16 -0400, James Knott wrote:
Hermann J. Beckers wrote:
Do both machines have IPv6 addresses? `ip -6 addr` Can the machines ping each other's IPv6 addresses? `ping6 fdb5:60da:9b8a:1:250:56ff:fea8:27e2` [assuming they are on the same subnet] About this... I really hate it if I some day need to start to use addresses like this in my home network.:-( Just add them to your hosts file. They work fine that way. BTW, what the heck is that address? It looks similar to a "unique local" address, but all those are supposed to start with fc00 or fd00. I have no idea were fdb5 might have come from.
http://www.sixxs.net/tools/grh/ula/list/
http://www.sixxs.net/tools/grh/ula/
<quote>
This page allows you to generate and then 'register' your IPv6 ULA
(Unique Local Address) RFC4193 prefix. Note that this does not concern
ULA-Central, though this system could easily handle that too. When you
have registered your ULA prefix here, it allows others to check up if
they accidentally generated the same prefix, before using it. This
should absolutely minimize the number of collisions for ULA space. We
hope that everybody using ULA prefixes register their prefixes here, to
avoid these collisions.
</quote>
--
Adam Tauno Williams
Adam Tauno Williams wrote:
This page allows you to generate and then 'register' your IPv6 ULA (Unique Local Address) RFC4193 prefix. Note that this does not concern ULA-Central, though this system could easily handle that too. When you have registered your ULA prefix here, it allows others to check up if they accidentally generated the same prefix, before using it. This should absolutely minimize the number of collisions for ULA space. We hope that everybody using ULA prefixes register their prefixes here, to avoid these collisions. I thought one of the points of unique local addresses was they weren't supposed to be routed off the local network. If you're experiencing
collisions, you're misusing them. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2010-08-04 at 10:43 -0400, James Knott wrote:
Adam Tauno Williams wrote:
This page allows you to generate and then 'register' your IPv6 ULA (Unique Local Address) RFC4193 prefix. Note that this does not concern ULA-Central, though this system could easily handle that too. When you have registered your ULA prefix here, it allows others to check up if they accidentally generated the same prefix, before using it. This should absolutely minimize the number of collisions for ULA space. We hope that everybody using ULA prefixes register their prefixes here, to avoid these collisions. I thought one of the points of unique local addresses was they weren't supposed to be routed off the local network. If you're experiencing
collisions, you're misusing them.
True. But you are mis-defining "local" in this case. Local means a
"site" or "campus" or "organization" which could have multiple networks
- and just like IPv4's 10/8 and 192.168/16 ULAs can be sub-netted. This
just avoids this issue [which I've encountered several times] where one
organization absorbs another [creating a new, larger, "local" network]
to discover that both organizations used overlapping private IPv4
networks [typically 192.168.1.x]. So things must then be NAT'd
internally [ick!] or renumbered [painful]. This matters especially for
truly "private" networks that may never have a 'public' network
assignment.
--
Adam Tauno Williams
participants (8)
-
Adam Tauno Williams
-
Anton Aylward
-
Chuck Payne
-
Hermann J. Beckers
-
Hermann J. Beckers
-
HG
-
James Knott
-
Mark Goldstein